EDH - Manual IAM Setup Option (AWS)

This page includes step-by-step instruction to complete the InsightCloudSec setup for Event-Driven Harvesting (EDH) using an approach that will not automatically provision IAM resources; however, it will set up your CloudWatch resources.

  • You will be required to manually create the Event Bus role/policy. For customers that do not want to use InsightCloudSec's exact paths or names for the role/policy, we will work with you on alternatives.

For questions on this specific setup, assistance with this process for AWS GovCloud, or other EDH-related questions, reach out to us through the Customer Support Portal.

New Onboarding

As of InsightCloudSec v. 23.4.11, the new universal onboarding experience for AWS accounts uses CloudFormation Templates (CFTs) to automatically provision relevant accounts with the necessary policies and roles. This means it is easiest to perform EDH configuration while onboarding an account/organization. Review AWS Cloud - Onboarding for more information.

For details on other EDH setup options, check out the main Event-Driven Harvesting (AWS) page.

Product name to be replaced

You may observe that some components, screen captures, or examples use our former product name, DivvyCloud. This doesn't affect the configuration or the product's functionality, and we will notify you as we replace these component names.

Setup for EDH in AWS

Configure Consumer Account

Consumer accounts are tasked with ingesting events from other accounts and also producing their own events (i.e., consumers are both producers and consumers).

Opt-In Regions

If you are interested in disabling opt-in regions from harvesting, you can include that configuration when you establish the settings within your consumer(s). If you need assistance, contact us through the Customer Support Portal.

Refer to additional documentation on Opt-In Regions here.

  1. Login to your AWS Console and open the IAM dashboard.

  2. Open the Policies section and create a new policy using the JSON tab to assign to the existing user/role that InsightCloudSec uses to access the consumer account.

    • This policy allows the user to read and write the appropriate event data
    • In this case, our user is 'DivvyCloud-PowerUser' and our policy name is DivvyCloud-EDH-Consumer
    • In addition, you can review the AWS IAM Policies for details

    Here is a sample of what the policy looks like:

    json
    1
    {
    2
    "Version": "2012-10-17",
    3
    "Statement": [
    4
    {
    5
    "Effect": "Allow",
    6
    "Action": [
    7
    "events:DeleteRule",
    8
    "events:DescribeRule",
    9
    "events:PutRule",
    10
    "events:PutTargets",
    11
    "events:RemoveTargets"
    12
    ],
    13
    "Resource": "arn:aws:events:*:CONSUMER-ACCT-ID:rule/divvycloud*"
    14
    },
    15
    {
    16
    "Effect": "Allow",
    17
    "Action": "events:PutPermission",
    18
    "Resource": "arn:aws:events:*:CONSUMER-ACCT-ID:event-bus/default"
    19
    },
    20
    {
    21
    22
    "Effect": "Allow",
    23
    "Action": [
    24
    "sqs:CreateQueue",
    25
    "sqs:ListQueues",
    26
    "sqs:ReceiveMessage",
    27
    "sqs:DeleteMessage"
    28
    ],
    29
    "Resource": [
    30
    "arn:aws:sqs:*:CONSUMER-ACCT-ID:divvycloud-event-aggregator-*.fifo"
    31
    ]
    32
    },
    33
    {
    34
    "Action": [
    35
    "organizations:DescribeOrganization"
    36
    ],
    37
    "Effect": "Allow",
    38
    "Resource": "*"
    39
    }
    40
    ]
    41
    }
  3. Click the Review Policy option to add the Name, Description, and to review the Summary.

  4. Locate your InsightCloudSec Power User. Open the permissions tab to attach the newly created consumer policy to your InsightCloudSec Power User.

    Configuring CloudTrail

    If you already have at least one CloudTrail enabled with at least Write events being logged, you do not need to create an additional trail for this and can skip to Step 7.

  5. With our consumer policies in place, you will need to configure CloudTrail. In the AWS console, open Services > CloudTrail.

  6. Navigate to Trails > Create Trail and complete the details based on your organization's requirements (e.g., all regions vs. specific, etc.).

  7. Navigate to CloudWatch > Events > Event Buses. Click the Add permission button and enable Organization access to the default event bus.

  8. If organization permissions do not already exist, add them using your organization ID.

Configure Producer Account

  1. Login to your AWS Console and open the IAM dashboard.

  2. Open the Policies section and create a new policy using the JSON tab. This new policy will be assigned to the existing Harvesting user/role that InsightCloudSec uses to access the producer account.

    • This policy allows the InsightCloudSec user to write the appropriate event data.
    • In this case, our user is DivvyCloud-PowerUser and our policy name is DivvyCloud-EDH-Producer.
    json
    1
    {
    2
    "Version": "2012-10-17",
    3
    "Statement": [
    4
    {
    5
    "Effect": "Allow",
    6
    "Action": [
    7
    "events:DeleteRule",
    8
    "events:DescribeRule",
    9
    "events:PutRule",
    10
    "events:PutTargets",
    11
    "events:RemoveTargets"
    12
    ],
    13
    "Resource": "arn:aws:events:*:*:rule/divvycloud-events*"
    14
    },
    15
    {
    16
    "Effect": "Allow",
    17
    "Action": [
    18
    "iam:CreatePolicyVersion",
    19
    "iam:GetPolicy",
    20
    "iam:GetPolicyVersion",
    21
    "iam:GetRole",
    22
    "iam:PassRole"
    23
    ],
    24
    "Resource": [
    25
    "arn:aws:iam::*:policy/service-role/event-driven-harvest/divvycloud-eventbus-policy",
    26
    "arn:aws:iam::*:role/service-role/event-driven-harvest/divvycloud-eventbus-role"
    27
    ]
    28
    },
    29
    {
    30
    "Action": [
    31
    "organizations:DescribeOrganization"
    32
    ],
    33
    "Effect": "Allow",
    34
    "Resource": "*"
    35
    }
    36
    ]
    37
    }
  3. You will need to manually create a role and policy that grants the consumer access to the producer’s logs. This role/policy will need be to created on every producer account.

Eventbus Role/Policy Details

During the InsightCloudSec portion of your setup, InsightCloudSec will expect the specified names and paths that are provided in the sample files below; if you modify these, your EDH setup will produce errors and fail.

  1. Save the following JSON for use with the assume-role-policy-document. Save as edh_role_manual_sts.txt.

    json
    1
    {
    2
    "Version": "2012-10-17",
    3
    "Statement": [
    4
    {
    5
    "Effect": "Allow",
    6
    "Principal": {"Service": "events.amazonaws.com"},
    7
    "Action": "sts:AssumeRole"
    8
    }
    9
    ]
    10
    }
  2. Create divvycloud-eventbus-role. The sample content below includes the AWS CLI commands required to create this role. We do not recommend using the AWS Console to create this role because of configuration limitations (e.g., you will not be able to specify the path included below).

    json
    1
    aws iam create-role --role-name divvycloud-eventbus-role --assume-role-policy-document file:///PATH/TO/FILE/edh_role_manual_sts.txt --path /service-role/event-driven-harvest/
    2
    {
    3
    "Role": {
    4
    "Path": "/service-role/event-driven-harvest/",
    5
    "RoleName": "divvycloud-eventbus-role",
    6
    "RoleId": "AROAIYD6PGH3VPCBX4D4Q",
    7
    "Arn": "arn:aws:iam::ACCT-ID-HERE:role/service-role/event-driven-harvest/divvycloud-eventbus-role",
    8
    "CreateDate": "2018-11-02T20:27:37Z",
    9
    "AssumeRolePolicyDocument": {
    10
    "Version": "2012-10-17",
    11
    "Statement": [
    12
    {
    13
    "Effect": "Allow",
    14
    "Principal": {
    15
    "Service": "events.amazonaws.com"
    16
    },
    17
    "Action": "sts:AssumeRole"
    18
    }
    19
    ]
    20
    }
    21
    }
    22
    }
  3. Save the following JSON for use as the policy-document.

    • Be sure to update the CONSUMER-ACCT-ID value with the account ID of the consumer account.
    • Save as edh_role_manual_policy.txt
    json
    1
    {
    2
    "Version": "2012-10-17",
    3
    "Statement": [
    4
    {
    5
    "Action": [
    6
    "events:PutEvents"
    7
    ],
    8
    "Resource": [
    9
    "arn:aws:events:*:CONSUMER-ACCT-ID:event-bus/default"
    10
    ],
    11
    "Effect": "Allow"
    12
    }
    13
    ]
    14
    }
  4. Create divvycloud-eventbus-policy.

    json
    1
    aws iam create-policy --policy-name divvycloud-eventbus-policy --policy-document file:///PATH/TO/FILE/edh_role_manual_policy.txt
    2
    {
    3
    "Policy": {
    4
    "PolicyName": "divvycloud-eventbus-policy",
    5
    "PolicyId": "ANPAJ52WSKTB7L4W3QXFS",
    6
    "Arn": "arn:aws:iam::CONSUMER-ACCT-ID:policy/divvycloud-eventbus-policy",
    7
    "Path": "/service-role/event-driven-harvest/",
    8
    "DefaultVersionId": "v1",
    9
    "AttachmentCount": 0,
    10
    "IsAttachable": true,
    11
    "CreateDate": "2018-11-02T20:42:27Z",
    12
    "UpdateDate": "2018-11-02T20:42:27Z"
    13
    }
    14
    }
  5. Attach divvycloud-eventbus-policy to divvycloud-eventbus-role.

    json
    1
    aws iam attach-role-policy --role-name divvycloud-eventbus-role --policy-arn arn:aws:iam::ACCT-ID:policy/divvycloud-eventbus-policy
    2
    3
    aws iam list-attached-role-policies --role-name divvycloud-eventbus-role
    4
    {
    5
    "AttachedPolicies": [
    6
    {
    7
    "PolicyName": "divvycloud-eventbus-policy",
    8
    "PolicyArn": "arn:aws:iam::ACCT-ID:policy/service-role/event-driven- harvest/divvycloud-eventbus-policy"
    9
    }
    10
    ]
    11
    }
  6. InsightCloudSec will automatically use the divvycloud-eventbus-role; the role does not need to be associated with DivvyCloud-PowerUser.

    Configuring CloudTrail

    If you already have at least one CloudTrail enabled with at least Write events being logged, you do not need to create an additional trail for this and can skip to the next section.

  7. With your producer policies in place, you can now configure CloudTrail. Navigate to Services > CloudTrail.

  8. Navigate to Trails > Create Trail and complete the details based on your organization's requirements (e.g., all regions vs. specific, etc.).

Setup EDH in InsightCloudSec

After completing the AWS configuration, you are now ready to complete the configuration of EDH inside of InsightCloudSec.

  1. Navigate to Cloud > Cloud Accounts and select EDH Consumers.
  2. Click Add EDH Configuration, then click AWS SQS Consumer.
  3. Complete this form by selecting the Consumer Account (already onboarded in InsightCloudSec) from the drop-down list. You will also need to do the following:
    • Provide the ARN for the SQS.
    • Select the EventBridge via EventBus from the Producer Type drop-down menu.
    • Click Configure. The Consumer will remain in a pending state while setup is in progress.

    Enabling Producers

    Do not add producers until the consumer displays as enabled.

  4. Click the EDH Producers tab, then click Add Producer.
  5. Complete the Create Auto-Provisioning Producer form with the details from the AWS setup completed earlier. If you have questions about the policy associated with enabling any options on this form, contact us through the Customer Support Portal.
    • You can choose to Automatically update enabled resource types to use all resource types. This will provide event support for all future resource types as they become supported by InsightCloudSec (this is recommended).
    • You can also set EDH to Automatically Provision IAM resources and Automatically Provision Cloudwatch resources (these are enabled be default and we recommend leaving this option enabled as part of the fully automatic setup).
    • After adding your producer, it may remain in the pending state for several minutes while setup is in progress (this will not refresh automatically; you will need to manually reload the browser).

Once the configuration is complete, the producer account’s status will be labeled enabled. If you added a heavily-used account as your producer, you should see events within a minute or so. If not, you can create and delete a test user to generate events.