AWS LPA Setup
Prior to getting started with the Principal Activity capability, users will be required to complete configuration to enable the system to properly import and display the associated data.
These settings are displayed as LPA Configuration within InsightCloudSec as the Principal Activity capability is the first component of our future LPA feature.
These requirements consist of the following:
- Creating/Validating the appropriate IAM Roles and Permissions
- Creating CloudTrails (this step is optional if you have an existing CloudTrail you plan to use with Principal Activity/LPA)
- Updating Data Settings & Configuration within InsightCloudSec
If you have any questions or issues with Principal Activity reach out through any of the options outlined on the Getting Support page.
IAM Roles and Permissions
Permissions
Principal Activity (LPA) requires multiple services and different roles to work correctly. The permissions from the following AWS services are required:
- Athena: Main Query Executor
- Glue: Used for retrieving the schema information
- S3: CloudTrail source inputs, and Working bucket outputs
Policy
New Onboarding
As of InsightCloudSec v. 23.4.11, the new onboarding experience for AWS accounts uses CloudFormation Templates (CFTs) to automatically provision relevant accounts with the necessary policies and roles. This means it is easiest to perform LPA configuration while onboarding an account/organization. Review AWS Cloud - Onboarding for more information.
The Egress LPA Auto Provisioning Policy grants the Rapid7 IAM Role permission to access CloudTrail, to create the necessary AWS Glue tables, and to create/execute Athena queries with a S3 bucket for results.
This links to a generic policy and there are fields you will need to update to reflect your specific environment.
Creating a CloudTrail
Before getting started with Principal Activity you will need to have CloudTrail configured to enable Principal Activity (LPA). Most users typically have a CloudTrail configured; in this instance, skip to the setup within InsightCloudSec and use your existing CloudTrail setup information.
New CloudTrail
If you do not already have a CloudTrail configured or would rather create a new, separate CloudTrail, refer to the AWS documentation on how to create a new CloudTrail and note the following recommendations:
- Create a new S3 bucket to go with the CloudTrail
- Enable log file SSE-KMS encryption (with a new KMS key)
- Choose to log Management events (both Read and Write)
- Choose to log Data events and Insights events, but note that this will incur additional CloudTrail costs
Attaching Policy to CloudTrail Bucket
If possible, you should grant bucket access to the harvesting IAM Role within the same AWS Account as the CloudTrail bucket. This way you only need to grant permissions in one place and any security checks about cross account bucket won’t be raised. To add a policy to the new CloudTrail bucket:
- Navigate to the the S3 service in the AWS Console for the same account you created the CloudTrail.
- Find the new CloudTrail bucket you just created in the previous section and click its name to open it.
- Click the Permissions tab.
- In the Bucket policy section, click Edit.
- Append the following statement to the bucket policy, ensuring you replace the placeholder values:
json
1{2"Sid": "AllowS3ObjectAccessToRapid7EgressRole",3"Effect": "Allow",4"Action": ["s3:GetObject", "s3:ListBucket"],5"Principal": {"AWS": "arn:{partition}:iam::{account_id}:role{role_name}"},6"Resource": ["arn:{partition}:s3:::{target_bucket}", "arn:aws:s3:::{target_bucket}/*"]7}
- Click Save Changes.
Troubleshooting
Scenario: What if the S3 bucket is encrypted with a KMS key?
If the S3 objects are being encrypted with a custom KMS key, then the KMS resource policy must grant kms:Decrypt
permissions to the IAM Role. Append the following policy statement (ensuring you replace the placeholder values) to the KMS policy to explicitly grant access to use this KMS key for only the CloudTrail bucket:
json
1{2"Sid": "AllowS3ObjectAccessToRapid7EgressRole",3"Effect": "Allow",4"Action": ["kms:Decrypt"],5"Principal": {"AWS": "arn:{partition}:iam::{account_id}:role{role_name}"},6"Resource": ["arn:{partition}:s3:::{target_bucket}", "arn:aws:s3:::{target_bucket}/*"]7}
Scenario: What if Cross Account access is required?
Some strategies for AWS Organization setup require access to CloudTrail logs to come from another Account. In this scenario, you must grant bucket access permissions to the IAM Role using a custom IAM Managed Policy in addition to the S3 bucket policy (ensuring you replace the placeholder values). Likewise, if the bucket is encrypted, the kms:Decrypt
permission needs to be included as well.
json
1{2"Version": "2012-10-17",3"Statement": [4{5"Sid": "AllowS3ObjectAccess",6"Effect": "Allow",7"Action": ["s3:GetObject", "s3:ListBucket"],8"Resource": ["arn:{partition}:s3:::{target_bucket}", "arn:aws:s3:::{target_bucket}/*"]9},10{11"Sid": "AllowKMSDecryptAccess",12"Effect": "Allow",13"Action": "kms:Decrypt",14"Resource": "arn:{partition}:kms:{region_name}:{account_id}:key/{key_id}"15}16]17}
Scenario: What if my InsightCloudSec harvesting role denies the "s3:GetObject\*" permission (e.g., you're using the AWS Managed Read Only Supplemental Role?)
What if my InsightCloudSec harvesting role denies the "s3:GetObject\*"
permission (e.g., you're using the AWS Managed Read Only Supplemental Role)
You can still maintain the deny permission but you'll need to provide explicit access to the CloudTrail buckets by using NotResource
, which has the effect of denying s3:GetObject*
for all buckets except the ones you specify. See the example below:
json
1{2"Version": "2012-10-17",3"Statement": [4{5"Sid": "AwsReadOnlyMissingPermissions",6"Action": [7"airflow:GetEnvironment",8"aoss:BatchGetCollection",9"aoss:GetSecurityPolicy",10"aoss:ListCollections",11"aoss:ListSecurityPolicies",12"apprunner:DescribeService",13"apprunner:ListServices",14"backup-gateway:GetGateway",15"docdb-elastic:GetCluster",16"docdb-elastic:ListClusters",17"eks:AccessKubernetesApi",18"lookoutequipment:DescribeDataset",19"lookoutequipment:ListDatasets",20"memorydb:DescribeClusters",21"memorydb:DescribeSubnetGroups",22"memorydb:ListTags",23"oam:GetSinkPolicy",24"oam:ListLinks",25"oam:ListSinks",26"pricing:GetProducts",27"quicksight:DescribeAccountSettings",28"quicksight:DescribeAccountSubscription",29"quicksight:DescribeIpRestriction",30"quicksight:ListUsers",31"redshift-serverless:ListNamespaces",32"redshift-serverless:ListWorkgroups",33"support:*"34],35"Effect": "Allow",36"Resource": "*"37},38{39"Sid": "AwsReadOnlyDenyPermissions",40"Action": [41"dynamodb:BatchGetItem",42"dynamodb:GetItem",43"dynamodb:Scan",44"dynamodb:Query"45],46"Effect": "Deny",47"Resource": "*"48},49{50"Sid": "FixLPAAwsReadOnlyDenyPermissions",51"Action": [52"s3:GetObject*"53],54"Effect": "Deny",55"NotResource": [56"arn:aws:s3:::insightcloudseclpa",57"arn:aws:s3:::insightcloudseclpa/*"58]59}60]61}
Settings & Configuration
These steps assume you have all of the appropriate configuration details on hand to complete the Principal Activity (LPA) configuration within InsightCloudSec.
Notes on LPA CloudTrail Sources
InsightCloudSec supports multiple sources of CloudTrail data, if desired. Before you add a source, ensure you have:
- A unique name for identification purposes
- An S3 URI that points at the CloudTrail source. Note: This directory MUST POINT TO A DIRECTORY OF ACCOUNT IDS. Thus, the prefix specified, when viewed in the S3 management console, must show a list of directories representing account IDs.
- Credentials with
s3:GetObject
ands3:ListBucket
access to the CloudTrail S3 URI, write access to the LPA S3 working bucket, and Athena query read/execute permissions.
Our LPA system does not filter CloudTrail events, so please configure the CloudTrail source appropriately to log all of the events (read and/or write) that you want to see inside of the InsightCloudSec. We recommend that both read and write management events be enabled for the CloudTrail source; otherwise, the full list of used permissions will not be displayed in the LPA analysis.
Authentication Role
If Authentication Type Assume role is selected, a trust needs to be allowed for the harvest role you created, not the InsightCloudSec install role.
- Select the gear icon at the top right of InsightCloudSec (next to your profile), then navigate to IAM Settings > AWS LPA Working Directory.
- Complete the form/fields as follows:
Working Directory Location
- S3 URI: Update with the S3 bucket details associated with the bucket where your LPA (Principal Activity) will be stored. We recommend that:
- You create an S3 bucket that is dedicated to storage of the LPA (Principal Activity) data
- This dedicated bucket resides in the same location as your InsightCloudSec installation
Working Directory Authentication
- Authentication Type: Select the credentials associated with the bucket you have configured to store LPA (Principal Activity) data
- The fields will vary based on the credential type (e.g., Use Cloud Credentials, Assume Role, or STS Role). The selected credentials must have read/write access to the specified S3 bucket URI.
Test Settings
This button allows you to confirm that you have supplied a valid configuration. If you receive an error the issues may be the result of an incorrect S3 URI, misconfigured policies, or invalid IAM credentials.
Deleting Settings
Once settings have been tested and validated, you can delete them at any point to prevent unwanted LPA costs. Just return to this page and click Delete Settings.
LPA CloudTrail Sources
- From the IAM Settings page, click AWS LPA CloudTrail Sources under the LPA Configuration options.
- Click Create Configuration.
- Update with the S3 bucket details associated with the CloudTrail you want to use and click OK.