Access AWS Resources with EC2 IAM Roles

You can use an Amazon Elastic Compute Cloud (EC2) instance within your AWS environment to securely create connections between your InsightIDR Collector and your AWS services without relying on IAM Keys or IAM Users. This process involves installing the InsightIDR Collector on an AWS EC2 instance and designating a role for that server instead of relying on IAM Keys.

When you use InsightIDR to add AWS event sources, the Collector can use its role permissions rather than the IAM Key to create a secure connection.

To utilize this secure communication method for your InsightIDR Collector:

  1. Configure an IAM Policy for AWS-related event sources
  2. Configure an IAM Role for AWS-related event sources
  3. Create an EC2 Instance configured for the same roles
  4. Install your InsightIDR Collector on the EC2 instance
  5. Manage AWS Related Event Sources

Configure IAM Policy

To configure the IAM policy:

  1. Log in to your AWS Console.
  2. From the “Services” tab, select IAM.
  3. From the left menu, select the Policies page.
  4. Click the Create Policy button at the top of the page.
  1. Select the JSON tab.
  2. Copy and paste the Policy IAM from the "Event Source" help page.
  3. Enter the relevant information for your organization and AWS account.
  4. Click the Review Policy button.
  5. In the “Name” field, enter a name for your IAM policy.
  6. Click the Create Policy button.
  7. On the “Policy” page, click the Refresh icon at the top right of the page.

Create the IAM Role

To create the IAM role:

  1. From the left menu, select the Roles page.
  2. Click the Create Role button.
  3. In the “Select type of trusted entity” section, select the AWS Service option.
  4. In the “Choose the service that will use this role” section, select the EC2 option.
  5. Click the Next: Permissions button.
  6. In the search bar, enter the name of the policy you created in previous steps, and click the checkbox to the right of the policy.
  7. Click the Next: Tags button.
  8. Click the Next: Review button.
  9. In the “Name” field, enter a name for your IAM Role.
  10. Click the Create Role button.
  11. On the “Roles” page, click the Refresh icon at the top right of the page.

Read more about IAM roles here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

Create an EC2 Instance

To create an EC2 Instance:

  1. In your AWS Console, select the Services tab at the top left of the page.
  2. Select the EC2 page under the “Compute” section.
  3. Click the Launch Instance button.
  1. On the “Choose an AMI” page, find the OS of the Collector you want to install the EC2 instance on and click the Select button.
  2. Click the Next: Configure Instance Details button.
  3. In the “IAM Role” section, find and select the IAM Role you previously configured.
  4. Click the Review and Launch button.
  5. On the “Instance” page, you will see the details of the EC2 instance you just created. Copy the “IPv4 Public IP” address.

Install the Collector on the EC2 Instance

To install the Collector on your EC2 instance:

  1. Open the command prompt and SSH into your newly created EC2 instance using the copied IP address.
  2. Download the Collector installer file onto your machine and then copy the installer from the download location onto your EC2 instance with the scp command.
  3. Use the following commands to install the Collector on your EC2 instance, changing to match your OS and the AMI package OS type:
1
chmod +x InsightSetup-Linux64.sh
2
sudo ./InsightSetup-Linux64.sh
  1. Follow the text prompts of the Installer.

For more information about this process, read the AWS EC2 documentation here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

Manage AWS Event Sources

After you install the Collector onto your EC2 instance, any of your AWS-related event sources running on this Collector can use the permissions of the IAM Role.

To make these changes:

Update the IAM Role Permissions

  1. In your AWS Console, select Roles from the left navigation menu.
  2. Find the IAM Role that you created using the search bar.
  3. Click the arrow icon to expand the various options, and select the Edit Policy button.
  4. Select the JSON tab.
  5. Add in the new JSON block as a new JSON statement and add in the appropriate information.
  6. Click the Review Policy button.

You can configure the following AWS related event sources:

Then, complete the following to add an event source:

  1. From your InsightIDR dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select the dropdown that says "Setup Event Source" and then choose Add Event Source
  3. Select the appropriate icon for the AWS event source.
    • AWS CloudTrail is a Cloud Service
    • AWS GuardDuty is a Third Party Alert
    • AWS SQS is a Custom Log collection method
  4. Select the Collector you configured that is hosted in the EC2 instance.
  5. Select the AWS event source. It is optional to name this event source.
  6. If applicable, choose to send unfiltered logs.
  7. Under “AWS Authentication,” select the EC2 Instance Profile Credential option.
  8. Configure the remaining steps of the AWS event source.
  9. Click the Save button.

If you have an existing AWS event source that is currently using an IAM Key, you can switch the event source to use the IAM Role instead.

To update any previously configured AWS event source:

  1. Stop the event source in InsightIDR. Go to Data Collection > Event Sources and find your event source. Click the Stop Running button.
  1. Create the Collector using the IAM Roles on an EC2 instance using the steps from earlier sections.
  2. Create a new event source on the new Collector with the same name. This allows the new event source to write new logs to the same log set, instead of creating a new log set in Log Search.
  3. Configure the new AWS event source with these changes:
    • Choose the Collector installed on the EC2 instance. If you select this option without setting up an EC2 instance, you will see the following error message on your Collector: “can’t retrieve credential from the EC2 service.”
    • Under “AWS Authentication,”select the EC2 Instance Credentials option.
  4. Update the rest of the event source settings with information from the original event source.
  5. Confirm that the new event source successfully writes new logs and runs without error.
  6. Delete the old event source from InsightIDR. This will not remove the historical logs from InsightIDR log search.