AWS Additional Configuration
Depending on how your AWS environment is configured and/or the types of services and regions you use, you may want to configure some additional things outside of the general InsightCloudSec cloud setup process. Review the sections below to determine what's applicable for your environment.
Using GuardDuty with InsightCloudSec
If you use AWS GuardDuty to detect threats within your AWS environment, you'll need to configure it to allow InsightCloudSec to harvest your AWS data. Review Trusting InsightCloudSec with AWS GuardDuty for more information.
Enabling Opt-In Regions
InsightCloudSec includes support for several AWS Commercial regions with the "opt-in" classification. Currently those are: Bahrain me-south-1
, Hong Kong ap-east-1
, Cape Town af-south-1
, and Milan eu-south-1
. Each of these regions are AWS “opt-in” regions and require additional configuration to be enabled.
Once enabled, you will also need to update the STS token compatibility to allow InsightCloudSec to communicate with these regions.
Session Tokens
STS tokens need to be enabled in the AWS account where your InsightCloudSec instance is deployed.
- Without these changes, InsightCloudSec will be unable to retrieve information from these regions even if they are enabled.
- For customers who prefer to keep these regions disabled, there are no changes required.
Allow larger session tokens
To enable STS tokens, you must allow larger session tokens to the global endpoint.
- Go to the AWS console (https://console.aws.amazon.com/iam/home?#/account_settings).
- In the Security Token Service (STS) section, in the Global Endpoint row, click Edit. (https://sts.amazonaws.com).
- Select Valid in all AWS Regions.
- Click Save changes.
AWS Regions
A full list of AWS Regions can be found on the AWS site.
Using AWS Billing Bucket with InsightCloudSec
InsightCloudSec allows you to view billing information for your AWS accounts through the AWS Cost and Usage Report. To enable this feature, you must configure a billing bucket within the AWS console and connect your InsightCloudSec platform to the target report path.
Legacy Detailed Billing Report
InsightCloudSec still provides access to the legacy Billing Bucket report; however, the AWS Detailed Billing Report feature is unavailable for new AWS customers as of 07/08/2019. Read details about AWS’ legacy detailed billing report here.
Prerequisites
Before you get started you will want to make sure you have the following:
- A functioning InsightCloudSec platform Installation with the appropriate admin permissions
- The appropriate permissions to access the AWS Billing details through the AWS Console
For more information on configuring for AWS billing, read more on AWS.
AWS Console Configuration
Set up the Cost & Usage report
- Go to My Billing Dashboard (from your account profile, upper right), then select the "Cost & Usage Report" option from the main navigation. You will need the appropriate permissions to access the both the dashboard and the setup for this report.
- Click Create Report and complete the details.
- Click Configure to complete the S3 bucket configuration by doing the following. InsightCloudSec only supports ZIP and GZIP as compression types.
- Entering an existing an existing S3 bucket name
- Creating a new S3 bucket by providing a name and specifying the region
- Click Next to review the policy for your report.
- Select I have confirmed that this policy is correct, and click Save to finalize the report.
- On the AWS Cost and Usage Reports page, click the name of the new report to view the details. This is where you will retrieve the report path to provide to InsightCloudSec when you set up the configuration for the Cost Usage Report.
Setup for deprecated Billing Bucket
Legacy Billing Bucket Setup
Legacy Billing Report Support
You must have established your AWS account before this feature was deprecated to have access to this capability.
- Go to Account > My Billing Dashboard, then select Billing Preferences.
- Under Cost Management Preferences/Detailed Billing Reports (Legacy), check the box for Turn on the legacy detailed billing reports....
- Once you enable the legacy billing reports, make note of the bucket name.
The policy should be automatically created on that bucket, but in case you’d like to verify, we're providing a copy (below) of our policy on our billing bucket with some values changed/scrubbed.
json
1{2"Version": "2008-10-17",3"Id": "Policy1372092530063",4"Statement": [5{6"Action": [7"s3:GetBucketAcl",8"s3:GetBucketPolicy"9],10"Principal": {11"AWS": "arn:aws:iam::XXXXXXXXX616:root"12},13"Resource": "arn:aws:s3:::divvy-billing-reports",14"Effect": "Allow",15"Sid": "StmtXXXXXXXXXXXXX"16},17{18"Action": "s3:PutObject",19"Principal": {20"AWS": "arn:aws:iam::XXXXXXXXX616:root"21},22"Resource": "arn:aws:s3:::divvy-billing-reports/*",23"Effect": "Allow",24"Sid": "StmtXXXXXXXXXXXXX"25}26]27}
InsightCloudSec Configuration
- Go to Cloud > Clouds and select the AWS Cloud account from the Listing page.
- On the Settings tab for the selected cloud account, and scroll to the bottom of the page to view the Configure Billing Bucket section of the page.
- From here you can configure the Cost and Usage Report, or for legacy customers the Detailed Billing Report (Legacy).
- For the Cost and Usage Report provide:
- The name of the S3 bucket
- The report path prefix
- The region
- For the Detailed Billing Report (Legacy) provide:
- The name of the S3 bucket
- The region
- Click Submit when you have completed the bucket details based on your preferences.
Viewing cloud costs
If you are just setting up a new billing bucket, you may need to wait as long as 24 hours to see the results of collected billing info. If you have previously set up a billing bucket and have just connected it to InsightCloudSec, results should be visible in only a few minutes.
View cloud costs
- Go to Cloud > Clouds and locate the AWS cloud with a configured billing bucket that you want to view details around.
- Click on the Resources menu to the left of your selected Cloud to open a filtered Resources main page, specific to the cloud you have selected.
- Select Identity Management as the resources category.
- Select Cloud Service Cost as the resource type.
- Scrolling will display cost breakdown details for the selected cloud, including Current Month Spend, Projected Month Spend, and Previous Month Spend - each broken out by service.
The details vary slightly depending on your selected report (legacy or the new Cost & Usage Report).
Miscellaneous AWS Services Configuration
Harvesting Cadences
Due to the global scope, count, and scale of S3 buckets, we recommend that the harvest cadence for Storage Containers be no less than 30 minutes.
Impaired Visibility
Customers using AWS will have improved visibility warnings if an S3 bucket’s properties are unable to be harvested due to an overly restrictive bucket policy.
While there are multiple policy possibilities that can prevent complete harvesting of an S3 bucket, here's an example policy that will show as impaired in InsightCloudSec:
json
1{2"Version": "2008-10-17",3"Statement": [4{5"Sid": "DenyAll",6"Effect": "Deny",7"Principal": "*",8"Action": [9"s3:GetBucketLogging",10"s3:GetBucketPolicy",11"s3:GetEncryptionConfiguration"12],13"Resource": "arn:aws:s3:::myimpairedbucket"14}15]16}
Because the bucket policy denies all principals, InsightCloudSec won't be able to harvest the bucket logging, policy, or encryption statuses.
Other Causes
In addition to the policy example above other possible causes include:
- inability to get the bucket location
- inability to get the bucket ACL
- inability to get IAM policy details
- inability to get versioning config
- inability to get static website config
- inability to get lifecycle policy config
- inability to get encryption settings
To get more information about what specific call(s) failed, you can run sudo docker-compose logs | grep "Unable to retrieve" | grep "yourbucketname"
on the instance you have running InsightCloudSec.
Update the command with your unique bucket name.
Recommend Bot Remediation
When using custom insights and bot actions on storage containers, it's recommended that the condition of Storage Container Without Impaired Visibility be applied. This prevents a bucket's policy from being overwritten when InsightCloudSec sees it as not having one.
For visibility and reporting, you can use the filter Storage Container With Impaired Visibility to alert you when there's a bucket policy in place that prevents visibility for InsightCloudSec.
Elastic Beanstalk
InsightCloudSec includes support and visibility for AWS Elastic Beanstalk that includes filter and enhanced insight into both Elastic Beanstalk Applications and Environments. To view details, go to Compute > WebAppGroup.
AWS Elastic Beanstalk can include many instances, ASGs, etc., linked to a given environment. The following resource types are supported by InsightCloudSec and can be linked to an environment:
- Instances
- Auto Scaling groups
- Launch configurations
- Load balancers
- Queues
For the newest and extensive set of AWS read permissions required, go to AWS Latest Elastic Beanstalk.
Automatic patching
InsightCloudSec includes a data point for WebApps: automatic_patching
. It is exclusive to AWS Beanstalk and tracks whether or not Managed Actions are enabled. To support Beanstalk resources we added the following filters:
- Instance Managed By Web App
- Web App With Automatic Patching Enabled
- Web App With Automatic Patching Disabled
With Beanstalk you can have multiple runtime versions so we added a new column on the resources page to display this information.
Permissions
When Beanstalk make sure that you have given InsightCloudSec the proper permissions for all the supported resources (see list below) used by your Beanstalk app/environment.
New AWS Elastic Beanstalk permissions
The following AWS permission are new:
elasticbeanstalk:DescribeApplications
elasticbeanstalk:DescribeEnvironments
elasticbeanstalk:DescribeEnvironmentResources
elasticbeanstalk:DescribePlatformVersion
Using Your Own SSL Cert with ELB
Customers interested in supplying their own certificate for ELB should refer to the following AWS documentation: