Skip to main content

The AWS sensor

The AWS sensor collects and processes information about configuration changes and actions taken by users, roles, or AWS services.

The overall AWS sensor configuration process consists of two stages:

  1. Fulfilling the prerequisites

    This part of the process is performed in your AWS console, where you need to configure the AWS CloudTrail and AWS Config services, and create an SQS queue and an S3 bucket for GravityZone to access.

  2. Configuring the sensor

    This part of the process is performed in GravityZoneControl Center. You need to provide the AWS information required for GravityZone to access the SQS queue and the S3 bucket.

Fulfilling the prerequisites

This part of the process is performed in your AWS console, where you need to configure the AWS CloudTrail and AWS Config services, and create an SQS queue and an S3 bucket for GravityZone to access.

Note

GravityZone XDR integration for AWS does not currently support accounts using AWS Control Tower.

Configure AWS services in your AWS console

Note

The configuration process described below is performed using an AWS root account. If you want to perform these instructions using a different account type, refer to the Configure AWS account permissions article for information on how to set up the necessary permissions for your account.Configure AWS account permissions

For your AWS sensor to work correctly, you must first configure a few AWS services in your AWS console. You need to configure an S3 bucket that collects logs from your AWS CloudTrail tra and the AWS Config service. The AWS Config service also sends the information about configuration changes to an AWS SNS topic. An SQS queue is subscribed to this topic, so it also receives configuration information. The S3 bucket also sends notifications to the SQS queue whenever new objects are created in the bucket.

GravityZone needs to access both the S3 bucket and the SQS queue. This is done through the use of an AWS IAM service account, to which you need to apply a policy that has the following permissions configured:

  • Permissions for the S3 bucket: GetObject, PutObject, and ListBucket

  • Permissions for the SQS queue: DeleteMessage, PurgeQueue, ReceiveMessage, and ChangeMessageVisibility

If you also want to use the sensor integration for incident response actions, you need to set up an additional policy that applies to the entire IAM principal. These are necessary permissions for response actions: CreatePolicy, AttachUserPolicy, ListPolicies, ListAccessKeys, and DeleteAccessKey.

Lastly, you can configure a Lifecycle rule on the S3 bucket to clear logs that were already retrieved by GravityZone. This is an optional step, aimed at managing S3 storage costs. It is not required for your sensor integration.

Keep in mind that the steps described in this section may vary depending on your unique AWS environment, policies, and requirements. For more in-depth information, refer to the official AWS Documentation.

AWS sensor prerequisites

Before setting up the AWS sensor in GravityZone, follow these steps:

  1. Enable and configure the necessary AWS services - AWS Config, AWS CloudTrail, Amazon SQS and Amazon SNS must be enabled and configured.

  2. Configure your AWS user account permissions.

  3. (Optional) Configure a Lifecycle rule on the S3 bucket.

Important

Enabling each of the following services may incur additional costs: AWS CloudTrailAWS ConfigAmazon SQS, AWS S3, and Amazon SNS. All these services are required for a successful integration.

Configure the necessary AWS services

  1. Configure a multi-region CloudTrail trail.

    1. Log into your AWS console.

    2. Use the search bar to look up "CloudTrail".

    3. In the CloudTrail page, click the Create a trail button.

    4. Give the trail a name.

    5. In the Storage location section, select Create new S3 bucket.

    6. In the Trail log bucket and folder field enter a unique bucket name.

    7. In the Log file SSE-KMS encryption section, clear the Enabled checkbox.

    8. Leave the rest of the fields with their default settings and click Next.

      AWS CloudTrail attributes
    9. In the Events section, select all three categories : Management events, Data events, and Insights events.

    10. In the Management events section, under API activity, select the Read and Write checkboxes.

    11. In the Data events section, expand the Data event: S3 section.

    12. For the Data event type field, select S3 from the drop-down menu.

    13. For the Log selector template field, select Log all events from the drop-down menu.

    14. In the Insights events section, select both checkboxes: API call rate and API error rate.

    15. Click Next.

    16. In the Review and create page, click Create trail.

      You will be redirected to the Trails grid.

  2. Configure S3 permissions for the AWS Config service.

    1. In the Trails grid, click the S3 bucket.

      AWS Trails grid
    2. In the Objects page, click the bucket name listed in the breadcrumb menu.

      Objects breadcrumb menu
    3. In the bucket page, click the Permissions tab.

    4. Scroll down to the Bucket policy section and click the Edit button.

    5. Copy the following code block:

        {
            "Sid": "AWSConfigBucketPermissionsCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "BUCKET_ARN",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceAccount": "ACCOUNT_ID"
                }
            }
        },
        {
            "Sid": "AWSConfigBucketExistenceCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": "s3:ListBucket",
            "Resource": "BUCKET_ARN",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceAccount": "ACCOUNT_ID"
                }
            }
        },
        {
            "Sid": "AWSConfigBucketDelivery",
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "BUCKET_ARN/AWSLogs/ACCOUNT_ID/Config/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceAccount": "ACCOUNT_ID",
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    6. In the Policy section, add a comma after the last statement and paste the code block on a new line, before the closed square bracket.

    7. Update the two placeholders in the code: BUCKET_ARN and ACCOUNT_ID. The value for Bucket ARN is displayed above the Policy section. Save these values for later use.

    8. To find your Account ID, click your username in the upper-right corner of the page. Your Account ID is displayed in the drop-down menu, right below your username.

    9. Click Save changes.

  3. Configure AWS Config and enable AWS Config recording

    1. Use the search bar in the AWS console to look up "Config".

    2. In the left-side menu, click Set up AWS Config. Do not use the 1-click setup option.

      Note

      This step assumes the AWS Config service was never configured in your current AWS account region. If the AWS Config service is already configured, access the Settings page in the left-side menu. Click Edit, select the Enable recording checkbox and confirm your choice. Next, follow the same steps described below.

    3. In the General Settings section, under Recording strategy, select Record all current and future resource types supported in this region.

    4. Select the Include globally recorded resource types checkbox.

    5. For the AWS Config role field, select the Use an existing AWS Config service-linked role option.

      You can leave the rest of the fields with their default values.

    6. In the Delivery method section, under Amazon S3 bucket, select the Choose a bucket from your account option.

    7. For the S3 Bucket name (required) field, select the S3 bucket previously created at step 1.

    8. In the Amazon SNS topic section, select the Stream configuration changes and notifications to an Amazon SNS topic checkbox.

    9. Select the Create a topic option.

    10. Enter a name for the SNS topic.

    11. Click Next twice, and then confirm your choice.

    Note

    These steps enable the AWS Config recording for the current AWS region of your user account. If you want to add AWS Config notifications from other regions, refer to Configure AWS Config and enable AWS Config recording for other AWS regions.

  4. Configure the SQS queue and subscribe it to the SNS topic.

    1. Use the search bar in the AWS console to look up "Amazon SQS".

    2. In the Amazon SQS page, open the left-side menu and click Queues.

    3. In the Queues grid, click Create queue.

    4. In the Details section, for the Type field, select Standard.

    5. Enter a name for the queue.

    6. Leave the rest of the fields with their default values and click Create queue.

      You will be redirected to the queue's dedicated page.

    7. Copy the queue URL and ARN values for later use.

      queue_details_cp_154326_en.png
    8. In the SNS subscriptions tab, click Subscribe to Amazon SNS topic.

    9. In the drop-down menu, select the SNS topic you created at step 3, and click Save.

      You will be redirected to the queue's dedicated page.

    10. Click the Access policy tab.

    11. In the Access policy (Permissions) section, click Edit.

    12. Copy the following code block:

      {
        "Sid": "Stmt1678745203026",
        "Effect": "Allow",
        "Principal": {
          "Service": "s3.amazonaws.com"
        },
        "Action": "sqs:SendMessage",
        "Resource": "QUEUE_ARN",
        "Condition": {
          "StringLike": {
            "aws:SourceArn": "BUCKET_ARN"
          },
          "StringEquals": {
             "aws:SourceAccount": "ACCOUNT_ID"
        }
        }
      }
    13. Scroll down to the Access policy section, add a comma after the last statement of the policy, and paste the code block on a new line, before the last closed square bracket.

    14. Update the three placeholders in the code: BUCKET_ARN, ACCOUNT_ID, and QUEUE_ARN with the values from steps 2g., 2h., and 4g.

    15. Click Save.

  5. Configure S3 bucket events.

    1. Use the search bar in the AWS console to look up "S3" and select the S3 option.

    2. In the left-side menu, click Buckets.

    3. In the Buckets page, click the S3 bucket you created.

    4. Click the Properties tab.

    5. Scroll down to the Event Notifications section and click the Create event notification button.

    6. In the General configuration section, provide a name for the notification configuration.

    7. In the Event types section, under Object creation, select the All object create events checkbox.

    8. In the Destination section, under Destination, select the SQS queue option.

    9. Under Specify SQS queue, select the Choose from your SQS queues option, and select the SQS queue you created at step 4.

    10. Click Save changes.

Next, you need to configure an IAM service account with the right permissions.

Configure AWS permissions

This procedure requires IAM administrative rights.

To configure the necessary AWS permissions, follow these steps:

  1. Create the policies that contain the desired permissions:

  2. Apply these policies to an IAM service account.

  3. Grant the IAM service account access to the S3 bucket you previously created.

  4. Configure limited public access to the S3 bucket via access point policies.

  5. Grant the IAM service account access to the SQS queue you previously created.

GravityZone needs access to the S3 bucket and the SQS queue, and achieves this by using the IAM service account. That is why the account must be configured with access to these two services.

Configure an IAM policy to generate security incidents

To configure an IAM policy to generate security incidents, follow these steps:

  1. Use the search bar to look up "IAM", and click the Identity and Access Management (IAM) option.

  2. In the left-side menu, click Policies.

  3. In the Policies page, click the Create policy button above the grid.

  4. In the Specify permissions page, click the JSON button.

  5. In the Policy editor section, replace the existing text with the following:

    {    
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowAccessToS3Bucket",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:ListBucket"
                ],
                "Resource": [
                    "BUCKET_ARN/*",
                    "BUCKET_ARN"]
            },
            {
                "Sid": "AllowAccessToSQSQueue",
                "Effect": "Allow",
                "Action": [
                    "sqs:ReceiveMessage",
                    "sqs:DeleteMessage",
                    "sqs:ChangeMessageVisibility",
                    "sqs:PurgeQueue"
                ],
                "Resource": "QUEUE_ARN"
            }
        ]
    }
  6. Update the two placeholders in the code: BUCKET_ARN and QUEUE_ARN with the values you copied at steps 2g. and 4g. of Configure the necessary AWS services.

  7. Click Next.

  8. In the Policy details section, provide a name and a description for your policy, and click Create policy.

    You will be redirected to the Policies pages.

    If you want the ability to take incident response actions directly from GravityZone, continue with the instructions below. Otherwise, skip to Apply permissions policies to an IAM service account.

Configure an IAM policy for incident response actions

To configure an IAM policy for incident response actions, follow these steps:

  1. In the Policies page, click the Create policy button above the grid.

  2. In the Specify permissions page, click the JSON button.

  3. In the Policy editor section, replace the existing text with the following:

    {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "iam:ListPolicies",
                 "iam:AttachUserPolicy",
                 "iam:CreatePolicy",
                 "iam:DeleteAccessKey",
                 "iam:ListAccessKeys"
             ],
             "Resource": [
                 "arn:aws:iam::ACCOUNT_ID:*"
             ]
         }
     ]
    }
    
  4. Update the ACCOUNT_ID placeholder in the code with the value you copied at step 2g. of Configure the necessary AWS services.

  5. Click Next.

  6. In the Policy details section, provide a name and a description for your policy, and click Create policy.

    You will be redirected to the Policies page.

Apply permissions policies to an IAM service account

After creating the policies, you will create an IAM service account. During the account creation process, you will configure it with one or both of the permissions policies.

To create and configure an IAM service account, follow these steps:

  1. In the Policies page, in the left-side menu, click Users.

  2. Click the Add users button.

  3. In the User details section, provide a user name and click Next.

  4. In the Set permissions page, select the Attach policies directly option.

  5. In the Permissions policies section, look up and select the policies you previously created.

    • If you want to use the sensor integration to generate security incidents, select the policy you created though Configure an IAM policy to generate security incidents.

    • If you want to use the sensor integration to generate security incidents and take incident response actions from GravityZone, select both policies.

    Note

    Do not select only the incident response policy, as this action will result in a sensor misconfiguration.

  6. Click Next.

  7. Click Create user.

    You will be redirected to the Users page.

  8. In the Users page, click the user name in the grid.

  9. In the user page, go to the Security credentials tab.

  10. Scroll down to the Access keys section, and click Create access key.

  11. In the Use case section, select the Third-party service option.

  12. Select the Confirmation checkbox and click Next.

  13. Click Create access key.

  14. In the Retrieve access key page, copy the Access key and the Secret access key values for later use.

  15. Click Done and then Continue.

    You will be redirected to the user details page.

  16. In the user details page, copy the user ARN value from the Summary section. Save the information for later use.

Grant the IAM service account access to the S3 bucket

To grant the IAM service account access to S3 bucket, follow these steps:

  1. Use the search bar in the AWS console to look up "S3" and select the S3 option.

  2. In the left-side menu, click Buckets.

  3. In the Buckets page, click the S3 bucket you created at step 1 in Configure the necessary AWS services.

  4. In the bucket details page, click the Permissions tab.

  5. Scroll down to the Bucket policy section and click the Edit button.

  6. Copy the following code block:

            {
                "Sid": "AllowSensorUserAccess",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "IAM_SENSOR_USER_ARN"
                },
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:ListBucket"
                ],
                "Resource": [
                    "BUCKET_ARN/*",
                    "BUCKET_ARN"],
                "Condition": {
                    "StringEquals": {
                        "AWS:SourceAccount": "ACCOUNT_ID"
                    }
                }
            }
  7. In the Policy section, add a comma after the last statement of the policy, and paste the code block on a new line, before the last closed square bracket.

  8. Update the three placeholders in the code: IAM_SENSOR_USER_ARN, ACCOUNT_ID, and QUEUE_ARN with the values from steps 2g. and 2h. from Configure the necessary AWS services, and step 16 from Apply permissions policies to an IAM service account.

  9. Click Save changes.

    You will be redirected to the bucket details page, with the Permissions tab selected.

Configure limited public access to the S3 bucket via access point policies

To configure limited public access to the S3 bucket via access point policies, follow these steps:

  1. In the Permissions tab of the S3 bucket details page, go to the Block public access (bucket settings) section.

  2. Click the Edit button.

  3. In the Edit Block public access (bucket settings) page, clear the Block all public access checkbox.

  4. Select the following two checkboxes: Block public access to buckets and objects granted through new access control lists (ACLs) and Block public access to buckets and objects granted through any access control lists (ACLs).

  5. Click Save changes.

  6. In the pop-up window, type "confirm" and click the Confirm button.

    You will be redirected the bucket details page.

    This configuration grants public access only to the IAM service account configured in the previous steps.

Grant the IAM service account access to the SQS queue

To grant the IAM service account access to SQS queue, follow these steps:

  1. Use the search bar in the AWS console to look up "Amazon SQS".

  2. In the Amazon SQS page, open the left-side menu and click Queues.

  3. In the Queues grid, click the SQS queue you previously created at step 4 of Configure the necessary AWS services.

  4. In the queue details page, click the Access policy tab.

  5. Click the Edit button.

  6. Copy the following code block:

    {
                "Sid": "AllowSensorUserAccess",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "IAM_SENSOR_USER_ARN"
                },
                "Action": [
                    "sqs:ReceiveMessage",
                    "sqs:DeleteMessage",
                    "sqs:ChangeMessageVisibility",
                    "sqs:PurgeQueue"
                ],
                "Resource": "QUEUE_ARN",
                "Condition": {
                    "StringEquals": {
                        "AWS:SourceAccount": "ACCOUNT_ID"
                    }
                }
            }
  7. Scroll down to the Access policy section, add a comma after the last statement of the policy, and paste the code block on a new line, before the last closed square bracket.

  8. Update the three placeholders in the code: IAM_SENSOR_USER_ARN, ACCOUNT_ID, and QUEUE_ARN with the values from steps 2g. and 2h. from Configure the necessary AWS services, and step 16 from Apply permissions policies to an IAM service account.

  9. Scroll down and click the Save button.

Configure a Lifecycle rule

This is an optional configuration step, aimed at managing S3 storage costs because it clears logs that were already retrieved by GravityZone.

If you don't want to perform this step, skip to Setting up the AWS sensor.

To configure the Lifecycle rule, follow these steps:

  1. Use the search bar in the AWS console to look up "S3" and select the S3 option.

  2. In the left-side menu, click Buckets.

  3. In the Buckets page, click the S3 bucket you created at step 1 in Configure the necessary AWS services.

  4. In the bucket details page, click the Management tab.

  5. In the Lifecycle rules section, click the Create lifecycle rule button.

  6. In the Create lifecycle rule page, provide a name for the rule.

  7. For the rule scope, select the Apply to all objects in the bucket option.

  8. Select the I acknowledge that this rule will apply to all objects in the bucket checkbox.

  9. In the Lifecycle rule actions section, select the following checkboxes:

    • Expire current versions of objects

    • Delete expired object delete markers or incomplete multipart uploads

  10. In the Expire current versions of objects section, in the Days after object creation field, enter 30.

  11. In the Delete expired object delete markers or incomplete multipart uploads section, in the Number of days field, enter 30.

  12. Click Create rule.

Setting up the AWS sensor

  1. In the Configuration > Sensors Management page, select Add new to integrate a new sensor.

  2. Select the AWS sensor and click Integrate.

  3. On the Check Requirements page, confirm that the prerequisite steps have been completed.

  4. Name the integration and provide the necessary AWS details.

  5. Select Test connectivity.

  6. Select Add sensor.

    The new integration will be available in the Sensors Management grid.