AWS Additional Configuration
Depending on how your AWS environment is configured and/or the types of services and regions you use, you may want to configure some additional things outside of the general InsightCloudSec cloud setup process. Review the sections below to determine what's applicable for your environment.
Review the sections below to determine what additional features or configurations may be applicable for your environment.
Configuration | Description |
---|---|
Enabling Opt-In Regions | If you use one or more of AWS regions with the "opt-in" classification, they'll need to be configured so that InsightCloudSec can properly harvest services hosted in those regions. |
Trusting InsightCloudSec with AWS GuardDuty | If you use AWS GuardDuty to detect threats within your AWS environment, you'll need to configure it to allow InsightCloudSec to harvest your AWS data. |
AWS Billing Bucket & Cost and Usage | If you are still using the legacy AWS Billing Bucket report, InsightCloudSec can harvest that billing information. The AWS Detailed Billing Report feature is unavailable for new AWS customers as of 07/08/2019. In addition, we provide instructions on using InsightCloudSec with the newer Cost & Usage report. |
AWS Service Configuration | InsightCloudSec can harvest additional information about select AWS services, provided you complete some configuration. |
Enabling Opt-In Regions
If you use one or more of AWS regions with the "opt-in" classification, they'll need to be configured so that InsightCloudSec can properly harvest services hosted in those regions.
InsightCloudSec includes support for several AWS Commercial regions with the "opt-in" classification. Currently those are: Bahrain me-south-1
, Hong Kong ap-east-1
, Cape Town af-south-1
, and Milan eu-south-1
. Each of these regions are AWS “opt-in” regions and require additional configuration to be enabled.
Once enabled, you will also need to update the STS token compatibility to allow InsightCloudSec to communicate with these regions.
Session Tokens
STS tokens need to be enabled in the AWS account where your InsightCloudSec instance is deployed.
- Without these changes, InsightCloudSec will be unable to retrieve information from these regions even if they are enabled.
- For customers who prefer to keep these regions disabled, there are no changes required.
Allow larger session tokens
To enable STS tokens, you must allow larger session tokens to the global endpoint.
- Go to the AWS console (https://console.aws.amazon.com/iam/home?#/account_settings).
- In the Security Token Service (STS) section, in the Global Endpoint row, click Edit. (https://sts.amazonaws.com).
- Select Valid in all AWS Regions.
- Click Save changes.
AWS Regions
A full list of AWS Regions can be found on the AWS site.
Using GuardDuty with InsightCloudSec
If you use AWS GuardDuty to detect threats within your AWS environment, you'll need to configure it to allow InsightCloudSec to harvest your AWS data. This action must be completed through the AWS console under the GuardDuty service.
Adding InsightCloudSec to the Trusted IP Address List
You must be a master user of a GuardDuty account to upload and manage trusted IP addresses. Users who are members of GuardDuty accounts do not have these privileges.
Required Permissions to Manage Trusted Lists
The following permissions are required to manage Trusted Lists:
iam:PutRolePolicy
iam:DeleteRolePolicy
Identify the Trusted IP Address for Your InsightCloudSec Instance
- Log in to the AWS console and navigate to the GuardDuty page.
- Select Findings.
- Select the Finding Type/Resource you wish to trust.
- Scroll down in the panel that opens on the right and note the IP address for your resource.
- Repeat the preceding steps for each Finding Type/Resource you wish to trust.
Create the List of Trusted IP Addresses
- Create a text file in which to log the IP addresses you wish to trust, one IP address per line.
- Move your list of trusted IP addresses to an S3 bucket. Note the S3 bucket’s name.
Add the Trusted IP Address List to GuardDuty
- Go to the Lists section of the GuardDuty page.
- Click Add a trusted IP list and do the following:
- Give your list a name
- Add the file containing your list (Click here for details about creating and uploading lists.)
- Select Active to make your list active.
At any given time, you can have only one uploaded trusted IP list per AWS account per region.
Using AWS Billing Bucket with InsightCloudSec
If you are still using the legacy AWS Billing Bucket report, InsightCloudSec can harvest that billing information. The AWS Detailed Billing Report feature is unavailable for new AWS customers as of 07/08/2019. In addition, we provide instructions on using InsightCloudSec with the newer Cost & Usage report.
InsightCloudSec allows you to view billing information for your AWS accounts through the AWS Cost and Usage Report. To enable this feature, you must configure a billing bucket within the AWS console and connect your InsightCloudSec platform to the target report path.
Legacy Detailed Billing Report
InsightCloudSec still provides access to the legacy Billing Bucket report; however, the AWS Detailed Billing Report feature is unavailable for new AWS customers as of 07/08/2019. Read details about AWS’ legacy detailed billing report here.
Prerequisites
Before you get started you will want to make sure you have the following:
- A functioning InsightCloudSec platform Installation with the appropriate admin permissions
- The appropriate permissions to access the AWS Billing details through the AWS Console
For more information on configuring for AWS billing, read more on AWS.
AWS Console Configuration
Set up the Cost & Usage report
- Go to My Billing Dashboard (from your account profile, upper right), then select the "Cost & Usage Report" option from the main navigation. You will need the appropriate permissions to access the both the dashboard and the setup for this report.
- Click Create Report and complete the details.
- Click Configure to complete the S3 bucket configuration by doing the following. InsightCloudSec only supports ZIP and GZIP as compression types.
- Entering an existing an existing S3 bucket name
- Creating a new S3 bucket by providing a name and specifying the region
- Click Next to review the policy for your report.
- Select I have confirmed that this policy is correct, and click Save to finalize the report.
- On the AWS Cost and Usage Reports page, click the name of the new report to view the details. This is where you will retrieve the report path to provide to InsightCloudSec when you set up the configuration for the Cost Usage Report.
Setup for deprecated Billing Bucket
Legacy Billing Bucket Setup
Legacy Billing Report Support
You must have established your AWS account before this feature was deprecated to have access to this capability.
- Go to Account > My Billing Dashboard, then select Billing Preferences.
- Under Cost Management Preferences/Detailed Billing Reports (Legacy), check the box for Turn on the legacy detailed billing reports....
- Once you enable the legacy billing reports, make note of the bucket name.
The policy should be automatically created on that bucket, but in case you’d like to verify, we're providing a copy (below) of our policy on our billing bucket with some values changed/scrubbed.
json
1{2"Version": "2008-10-17",3"Id": "Policy1372092530063",4"Statement": [5{6"Action": [7"s3:GetBucketAcl",8"s3:GetBucketPolicy"9],10"Principal": {11"AWS": "arn:aws:iam::XXXXXXXXX616:root"12},13"Resource": "arn:aws:s3:::divvy-billing-reports",14"Effect": "Allow",15"Sid": "StmtXXXXXXXXXXXXX"16},17{18"Action": "s3:PutObject",19"Principal": {20"AWS": "arn:aws:iam::XXXXXXXXX616:root"21},22"Resource": "arn:aws:s3:::divvy-billing-reports/*",23"Effect": "Allow",24"Sid": "StmtXXXXXXXXXXXXX"25}26]27}
InsightCloudSec Configuration
- Go to Cloud > Clouds and select the AWS Cloud account from the Listing page.
- On the Settings tab for the selected cloud account, and scroll to the bottom of the page to view the Configure Billing Bucket section of the page.
- From here you can configure the Cost and Usage Report, or for legacy customers the Detailed Billing Report (Legacy).
- For the Cost and Usage Report provide:
- The name of the S3 bucket
- The report path prefix
- The region
- For the Detailed Billing Report (Legacy) provide:
- The name of the S3 bucket
- The region
- Click Submit when you have completed the bucket details based on your preferences.
Viewing cloud costs
If you are just setting up a new billing bucket, you may need to wait as long as 24 hours to see the results of collected billing info. If you have previously set up a billing bucket and have just connected it to InsightCloudSec, results should be visible in only a few minutes.
View cloud costs
- Go to Cloud > Clouds and locate the AWS cloud with a configured billing bucket that you want to view details around.
- Click on the Resources menu to the left of your selected Cloud to open a filtered Resources main page, specific to the cloud you have selected.
- Select Identity Management as the resources category.
- Select Cloud Service Cost as the resource type.
- Scrolling will display cost breakdown details for the selected cloud, including Current Month Spend, Projected Month Spend, and Previous Month Spend - each broken out by service.
The details vary slightly depending on your selected report (legacy or the new Cost & Usage Report).
Miscellaneous AWS Services Configuration
InsightCloudSec can harvest additional information about select AWS services, provided you complete some configuration.
Harvesting Cadences
Due to the global scope, count, and scale of S3 buckets, we recommend that the harvest cadence for Storage Containers be no less than 30 minutes.
Impaired Visibility
Customers using AWS will have improved visibility warnings if an S3 bucket’s properties are unable to be harvested due to an overly restrictive bucket policy.
While there are multiple policy possibilities that can prevent complete harvesting of an S3 bucket, here's an example policy that will show as impaired in InsightCloudSec:
json
1{2"Version": "2008-10-17",3"Statement": [4{5"Sid": "DenyAll",6"Effect": "Deny",7"Principal": "*",8"Action": [9"s3:GetBucketLogging",10"s3:GetBucketPolicy",11"s3:GetEncryptionConfiguration"12],13"Resource": "arn:aws:s3:::myimpairedbucket"14}15]16}
Because the bucket policy denies all principals, InsightCloudSec won't be able to harvest the bucket logging, policy, or encryption statuses.
Other Causes
In addition to the policy example above other possible causes include:
- inability to get the bucket location
- inability to get the bucket ACL
- inability to get IAM policy details
- inability to get versioning config
- inability to get static website config
- inability to get lifecycle policy config
- inability to get encryption settings
To get more information about what specific call(s) failed, you can run sudo docker-compose logs | grep "Unable to retrieve" | grep "yourbucketname"
on the instance you have running InsightCloudSec.
Update the command with your unique bucket name.
Recommend Bot Remediation
When using custom insights and bot actions on storage containers, it's recommended that the condition of Storage Container Without Impaired Visibility be applied. This prevents a bucket's policy from being overwritten when InsightCloudSec sees it as not having one.
For visibility and reporting, you can use the filter Storage Container With Impaired Visibility to alert you when there's a bucket policy in place that prevents visibility for InsightCloudSec.
Elastic Beanstalk
InsightCloudSec includes support and visibility for AWS Elastic Beanstalk that includes filter and enhanced insight into both Elastic Beanstalk Applications and Environments. To view details, go to Compute > WebAppGroup.
AWS Elastic Beanstalk can include many instances, ASGs, etc., linked to a given environment. The following resource types are supported by InsightCloudSec and can be linked to an environment:
- Instances
- Auto Scaling groups
- Launch configurations
- Load balancers
- Queues
For the newest and extensive set of AWS read permissions required, go to AWS Latest Elastic Beanstalk.
Automatic patching
InsightCloudSec includes a data point for WebApps: automatic_patching
. It is exclusive to AWS Beanstalk and tracks whether or not Managed Actions are enabled. To support Beanstalk resources we added the following filters:
- Instance Managed By Web App
- Web App With Automatic Patching Enabled
- Web App With Automatic Patching Disabled
With Beanstalk you can have multiple runtime versions so we added a new column on the resources page to display this information.
Permissions
When Beanstalk make sure that you have given InsightCloudSec the proper permissions for all the supported resources (see list below) used by your Beanstalk app/environment.
New AWS Elastic Beanstalk permissions
The following AWS permission are new:
elasticbeanstalk:DescribeApplications
elasticbeanstalk:DescribeEnvironments
elasticbeanstalk:DescribeEnvironmentResources
elasticbeanstalk:DescribePlatformVersion
Using Your Own SSL Cert with ELB
Customers interested in supplying their own certificate for ELB should refer to the following AWS documentation: