Login
        Contents x
        Migrate Legacy Amazon Web Service (AWS) Integrations
        • 26 Jun 2025
        • 2 Minutes to read
        • PDF
        Contents

        Migrate Legacy Amazon Web Service (AWS) Integrations

        • Updated on 26 Jun 2025
        • 2 Minutes to read
        • PDF
        Article summary

        In Q2 2025, Red Canary introduced an improved version of the AWS integration that features GuardDuty findings ingestion via an S3 bucket, better control for including and excluding AWS accounts, and a new autodetect feature to speed up onboarding.

        If you’re using the earlier legacy integration, we recommend that you upgrade to the latest version by following these instructions.

        Important

        If your existing AWS integration includes GuardDuty, you’ll need to set up GuardDuty to export its findings to an S3 bucket before you run the migration. Alternatively, you can skip over the GuardDuty part of the migration and add it later once you’ve configured the S3 export.

        1 Red Canary | Start the Migration

        1. From your Red Canary homepage, go to the Integrations page then click on the name of the integration you want to migrate.

        2. Click the Upgrade Integration button.

        3. Follow the steps in the Integrate Amazon Web Services (AWS) with Red Canary guide to configure the new integration.

          Note

          The migration process will use your existing configuration to automatically choose the scope of the integration and pre-fill the necessary ARN values in the CloudTrail section. You just need to provide ARN values in the GuardDuty section and provision the IAM role. You can use the Autodetect feature to help populate the GuardDuty ARNs if necessary.

        After you complete and save the configuration, it’ll take approximately 20 minutes for Red Canary to fully migrate and provision the integration.

        2 AWS | Remove the Legacy Integration AWS Policies

        The legacy AWS integration required you to create resource policies for your CloudTrail S3 bucket, SNS topic, and KMS key. Once the new integration has fully provisioned, these policies are no longer needed and you can safely remove them.

        S3 Policy

        1. In the AWS Console, navigate to the Amazon S3 > Buckets page.

        2. Open the S3 bucket you’re using for CloudTrail logs and go to the Permissions tab.

        3. In the Bucket policy panel, click Edit.

        4. Locate the RCPartnerAccessControl statement with the following pattern and delete it.

          {
  "Sid": "RCPartnerAccessControl",
  "Principal": {
  "AWS": "arn:aws:iam::186109445163:role/rc-partner-access-control"
  },
  "Effect": "Allow",
  "Action": [
  "s3:ListBucket",
  "s3:GetObject",
  "s3:GetObjectAttributes",
  "s3:GetObjectVersion"
  ],
  "Resource": [
  "arn:aws:s3:::example-cloudtrail-logs-123456",
  "arn:aws:s3:::example-cloudtrail-logs-123456/*"
  ]
}

        5. Click Save changes.

        SNS Topic Policy

        1. In the AWS Console, navigate to the Amazon SNS > Topics page.

        2. Open the topic you’re using for CloudTrail log event notifications and click Edit.

        3. In the Access policy panel, locate the RCPartnerAccessControl statement with the following pattern and delete it.

          {
  "Sid": "RCPartnerAccessControl",
  "Effect": "Allow",
  "Principal": {
  "AWS": "arn:aws:iam::186109445163:root"
  },
  "Action": "SNS:Subscribe",
  "Resource": "arn:aws:sns:us-east-2:123456789012:example-sns-topic-name"
}

        4. Click Save changes.

        KMS Key Policy

        1. In the AWS Console, navigate to the Key Management Service (KMS) > Customer managed keys page.

        2. Open the key you’re using for the CloudTrail S3 bucket and click Edit on the Key Policy tab.

        3. Locate the RCPartnerAccessControl statement with the following pattern and delete it.

          {
  "Sid": "RCPartnerAccessControl",
  "Effect": "Allow",
  "Principal": {
  "AWS": "arn:aws:iam::186109445163:role/rc-partner-access-control"
  },
  "Action": [
  "kms:Decrypt",
  "kms:DescribeKey"
  ],
  "Resource": "*"
}

        4. Click Save changes.

        3 AWS | Remove the Legacy Red Canary IAM Role

        The legacy IAM access role you created for Red Canary in AWS is no longer needed and you can remove it once the migration is complete.

        1. In the AWS Console, navigate to the Identity and Access Management (IAM) > Roles page.

        2. Find the rc-partner-access-control role and delete it.

          Note

          The role may have a different name if you chose to override the suggested default.

          If you propagated the role using CloudFormation or Terraform, you can also remove it across accounts by deleting the CloudFormation stack or reversing the Terraform apply as appropriate.

          Warning

          Be careful not to delete the new IAM role created during the migration process (redcanary-partner-access).

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout