InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

EDH - Manual IAM Setup Option (AWS)

Detailed Instructions for a Manual IAM Setup Approach to AWS Event-Driven Harvesting

This page includes step-by-step instruction to complete the InsightCloudSec setup for Event-Driven Harvesting (EDH) using an approach that will not automatically provision IAM resources; however, it will set up your CloudWatch resources.

  • You will be required to manually create the Eventbus role/policy. For customers that do not want to use InsightCloudSec's exact paths or names for the role/policy, we will work with you on alternatives.

For questions on this specific setup, assistance with this process for AWS GovCloud, or other EDH-related questions, reach out to us through[email protected].

For details on other EDH setup options, check out the main Event-Driven Harvesting (AWS) page.

📘

DivvyCloud vs. InsightCloudSec

Some examples, database values, and other items may refer to DivvyCloud vs. InsightCloudSec. The behavior and performance is the same, just ensure that you are consistent in naming your values.

Setup for EDH in AWS

Configure Consumer Account

Consumer accounts are tasked with ingesting events from other accounts and also producing their own events (i.e., consumers are both producers and consumers).

📘

Opt-In Regions

If you are interested in disabling opt-in regions from harvesting, you can include that configuration when you establish the settings within your consumer(s). If you need assistance with this, contact us through [email protected].

Refer to additional documentation on Opt-In Regions here.

1. Login to your AWS Console and open the IAM dashboard.

2. Open the "Policies" section and create a new policy using the "JSON" tab to assign to the existing user/role that InsightCloudSec/DivvyCloud uses to access the consumer account.

  • This policy allows the user to read and write the appropriate event data.
  • In this case, our user is 'DivvyCloud-PowerUser' and our policy name is 'DivvyCloud-EDH-Consumer'.

In addition, you can review the AWS IAM Policies for details.

Here is a sample of what the policy looks like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:DescribeRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": "arn:aws:events:*:CONSUMER-ACCT-ID:rule/divvycloud*"
        },
        {

            "Effect": "Allow",
            "Action": [
                "sqs:CreateQueue",
                "sqs:ListQueues",
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage",
                "sqs:DeleteMessageBatch"
            ],
            "Resource": [
                "arn:aws:sqs:*:CONSUMER-ACCT-ID:divvycloud-event-aggregator-*.fifo"
            ]
        },
        {
            "Action": [
                "organizations:DescribeOrganization"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

And here is the Create Policy interface in the AWS Console.

Create Policy in AWSCreate Policy in AWS

Create Policy in AWS

3. Click on the "Review Policy" option to add the Name, Description, and to review the Summary.

  • In this example. we've named our policy 'DivvyCloud-EDH-Consumer' to identify it as the 'consumer' policy.
Verify Consumer PolicyVerify Consumer Policy

Verify Consumer Policy

4. Locate your InsightCloudSec/DivvyCloud Power User. Open the permissions tab to attach the newly created consumer policy to your InsightCloudSec/DivvyCloud Power User (e.g., 'DivvyCloud-PowerUser' below).

Attach the EDH Consumer PolicyAttach the EDH Consumer Policy

Attach the EDH Consumer Policy

❗️

Configuring CloudTrail

If you already have at least one CloudTrail enabled with at least Write events being logged, you do not need to create an additional trail for this and can skip to Step 7.*

5. With our consumer policies in place, you will need to configure CloudTrail. In the AWS console, open "Services" --> "CloudTrail."

  • In this example, the trail is named 'DivvyCloud-EDH'.
CloudTrail DashboardCloudTrail Dashboard

CloudTrail Dashboard

6. Click on "Trails" --> "Create Trail" and complete the details based on your organization's requirements (e.g., all regions vs. specific, etc.).

Create a New Cloud TrailCreate a New Cloud Trail

Create a New Cloud Trail

7. Navigate to "CloudWatch --> Events --> Event Buses." Click on the "Add permission" button and enable Organization access to default event bus.

Event Bus PermissionsEvent Bus Permissions

Event Bus Permissions

8. If organization permissions do not already exist, add them using your organization ID.

Add Permission to Event BusAdd Permission to Event Bus

Add Permission to Event Bus

Configure Producer Account

1. Login to your AWS Console and open the IAM dashboard.

2. Open the "Policies" section and create a new policy using the "JSON" tab. This new policy will be assigned to the existing Harvesting user/role that InsightCloudSec uses to access the producer account.

  • This policy allows the InsightCloudSec/DivvyCloud user to write the appropriate event data.
  • In this case, our user is 'DivvyCloud-PowerUser' and our policy name is 'DivvyCloud-EDH-Producer'.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:DescribeRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": "arn:aws:events:*:*:rule/divvycloud-events*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreatePolicyVersion",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:policy/service-role/event-driven-harvest/divvycloud-eventbus-policy",
                "arn:aws:iam::*:role/service-role/event-driven-harvest/divvycloud-eventbus-role"
            ]
        },
        {
            "Action": [
                "organizations:DescribeOrganization"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

3. You will need to manually create a role and policy that grants the consumer access to the producer’s logs. This role/policy will need be to created on every producer account.

🚧

Eventbus Role/Policy Details

During the InsightCloudSec portion of your setup, InsightCloudSec will expect the specified names and paths that are provided in the sample files below; if you modify these, your EDH setup will produce errors and fail.

4. Save the following JSON for use with the the ‘assume-role-policy-document’. Save as ‘edh_role_manual_sts.txt’.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"Service": "events.amazonaws.com"},
            "Action": "sts:AssumeRole"
        }
    ]
}

5. Create divvycloud-eventbus-role.

  • Note the sample content below includes the AWS CLI commands required to create this role. We do not recommend using the AWS Console to create this role because of configuration limitations (e.g., you will not be able to specify the path included below).
aws iam create-role --role-name divvycloud-eventbus-role --assume-role-policy-document file:///PATH/TO/FILE/edh_role_manual_sts.txt --path /service-role/event-driven-harvest/
{
    "Role": {
        "Path": "/service-role/event-driven-harvest/",
        "RoleName": "divvycloud-eventbus-role",
        "RoleId": "AROAIYD6PGH3VPCBX4D4Q",
        "Arn": "arn:aws:iam::ACCT-ID-HERE:role/service-role/event-driven-harvest/divvycloud-eventbus-role",
        "CreateDate": "2018-11-02T20:27:37Z",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "events.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        }
    }
}

6. Save the following JSON for use as the ‘policy-document’.

  • Be sure to update the ‘CONSUMER-ACCT-ID’ value with the account ID of the consumer account.
  • Save as ‘edh_role_manual_policy.txt’
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "events:PutEvents"
            ],
            "Resource": [
                "arn:aws:events:*:CONSUMER-ACCT-ID:event-bus/default"
            ],
            "Effect": "Allow"
        }
    ]
}

7. Create divvycloud-eventbus-policy.

aws iam create-policy --policy-name divvycloud-eventbus-policy --policy-document file:///PATH/TO/FILE/edh_role_manual_policy.txt
{
    "Policy": {
        "PolicyName": "divvycloud-eventbus-policy",
        "PolicyId": "ANPAJ52WSKTB7L4W3QXFS",
        "Arn": "arn:aws:iam::CONSUMER-ACCT-ID:policy/divvycloud-eventbus-policy",
        "Path": "/service-role/event-driven-harvest/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "CreateDate": "2018-11-02T20:42:27Z",
        "UpdateDate": "2018-11-02T20:42:27Z"
    }
}

8. Attach divvycloud-eventbus-policy to divvycloud-eventbus-role.

aws iam attach-role-policy --role-name divvycloud-eventbus-role --policy-arn arn:aws:iam::ACCT-ID:policy/divvycloud-eventbus-policy

aws iam list-attached-role-policies --role-name divvycloud-eventbus-role
{
    "AttachedPolicies": [
        {
            "PolicyName": "divvycloud-eventbus-policy",
            "PolicyArn": "arn:aws:iam::ACCT-ID:policy/service-role/event-driven-   harvest/divvycloud-eventbus-policy"
        }
    ]
}

9. InsightCloudSec will automatically use the divvycloud-eventbus-role; the role does not need to be associated with ‘DivvyCloud-PowerUser'.

❗️

Enabling CloudTrail

If you already have at least one CloudTrail enabled with at least Write events being logged, you do not need to create an additional trail for this and can skip to the "Setup EDH in InsightCloudSec" section of this page.

10. With your producer policies in place, you can now configure CloudTrail. Navigate to "Services" --> "CloudTrail."

  • In this example, the trail is named ‘DivvyCloud-EDH’.
Configure CloudTrailConfigure CloudTrail

Configure CloudTrail

11. Click on "Trails" --> "Create Trail" and complete the details based on your organization's requirements (e.g., all regions vs. specific, etc.).

Create CloudTrailCreate CloudTrail

Create CloudTrail

Setup EDH in InsightCloudSec

After completing the AWS configuration, you are now ready to complete the configuration of EDH inside of InsightCloudSec.

1. Navigate to the Clouds main page (under Cloud on the left-side navigation menu).

Clouds Event-Driven Harvesting PageClouds Event-Driven Harvesting Page

Clouds Event-Driven Harvesting Page

2. If no EDH has been set up previously, select Begin and then confirm EDH is enabled. Otherwise, go to Step 3.

New EDH SetupNew EDH Setup

New EDH Setup

Enable EDH DialogEnable EDH Dialog

Enable EDH Dialog

3. From the Event-Driven Harvesting tab, select "Consumer" and then select "Add Consumer."

EDH - Add ConsumerEDH - Add Consumer

EDH - Add Consumer

4. Complete this form by selecting the Consumer Account from the drop-down list; in addition, do the following:

  • Use the field to disable EDH in specific regions. By default, InsightCloudSec will not attempt to set up EDH in AWS opt-in regions. You can override this default by removing the regions from the form above. Ensure that you have configured these regions appropriately by visiting this link.
  • Include an encryption key if you are interested in encrypting your simple queue service (SQS) queues.
Add Event ConsumerAdd Event Consumer

Add Event Consumer

  • The Consumer will remain in a pending state while setup is in progress.
Consumer Pending StatusConsumer Pending Status

Consumer Pending Status

❗️

Enabled Note

Do not add producers until the consumer is showing as enabled.

Consumer Enabled StatusConsumer Enabled Status

Consumer Enabled Status

5. From the Event-Driven Harvesting tab, select the Producers subtab and click "Add Producer."

EDH - Add ProducerEDH - Add Producer

EDH - Add Producer

6. Complete the "Enable Producer" form with the details from the AWS setup completed earlier.

EDH - Add Producer FormEDH - Add Producer Form

EDH - Add Producer Form

Note: If you have questions about the policy associated with enabling any options on this form, contact [email protected].

  • You can choose to "Automatically update enabled resource types to use all resource types." This will provide event support for all future resource types as they become supported by DivvyCloud (this is recommended).
  • You can also set EDH to "Automatically Provision Cloudwatch resources."
  • In this setup process you are deselecting the "Automatically Provision IAM resources" because you have manually provisioned these in earlier steps.

7. After adding your producer, it may remain in the pending state for several minutes while setup is in progress.

EDH - Add Producer PendingEDH - Add Producer Pending

EDH - Add Producer Pending

8. Once the configuration is complete, the producer account’s status will be labeled enabled.

📘

Enabling Producer

If there are any issues enabling your producer, the status will read "error" and you’ll be able to click the read icon to see related errors.

9. If you added a heavily used account as your producer, you should see events within a minute or so.

  • If not, you can create and delete a test user to generate events. In this case, we’ll create a user named ‘EDH-TEST-DELETE-ME’ to generate events and verify your configuration.
EDH - Test UserEDH - Test User

EDH - Test User

Updated 15 days ago

EDH - Manual IAM Setup Option (AWS)


Detailed Instructions for a Manual IAM Setup Approach to AWS Event-Driven Harvesting

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.