AWS Integration FAQ
    • 19 Sep 2024
    • 5 Minutes to read
    • PDF

    AWS Integration FAQ

    • PDF

    Article summary


    FAQ

    Why does Red Canary need access for each action permission in our CloudFormation and Terraform templates?

    The permissions are what we need from GuardDuty’s perspective for discovery inside your environment. NONE of these permissions edit, add, or delete your resources in any way. Below is a list of permissions we need for licensure.

    The permissions below are all used for License calculation purposes:

    Service

    Permission

    Justification

    DynamoDB

    dynamodb:ListGlobalTables

    Allows Red Canary to List DynamoDB Tables for Licensure Purposes

    dynamodb:ListTables

    Allows Red Canary to List DynamoDB Tables for Licensure Purposes

    EC2

    ec2:DescribeInstances

    Allows Red Canary to List EC2 Instances for Licensure Purposes

    ec2:DescribeVolumes

    Allows Red Canary to List EC2 Volumes for Licensure Purposes

    ECR (Elastic Container Registry)

    ecr-public:DescribeImages

    Allows Red Canary to List Container Images for Licensure Purposes

    ecr-public:DescribeRepositories    

    Allows Red Canary to List Container Images for Licensure Purposes

    ecr:DescribeRepositories

    Allows Red Canary to List Container Images for Licensure Purposes

    ecr:ListImages

    Allows Red Canary to List Container Images for Licensure Purposes

    ECS (Elastic Container Service)

    ecs:DescribeServices

    Allows Red Canary to List Container Services for Licensure Purposes

    ecs:DescribeTaskDefinition

    Allows Red Canary to List Container Services for Licensure Purposes

    ecs:ListClusters

    Allows Red Canary to List Container Clusters for Licensure Purposes

    ecs:ListServices

    Allows Red Canary to List Container Services for Licensure Purposes

    EKS (Elastic Kubernetes Service)

    eks:ListClusters  

    Allows Red Canary to List EKS Clusters for Licensure Purposes

    Elastic File System (EFS)

    elasticfilesystem:DescribeFileSystems  

    Allows Red Canary to List Elastic File Systems for Licensure Purposes

    Lambda  

    lambda:ListFunctions  

    Allows Red Canary to List Lambda Functions for Licensure Purposes

    RDS (Relational Database Service)

    rds:DescribeDBInstances

    Allows Red Canary to List RDS Instances for Licensure Purposes

    S3

    s3:GetBucketLocation

    Allows Red Canary to List S3 Buckets for Licensure Purposes

    s3:ListAllMyBuckets

    Allows Red Canary to List S3 Buckets for Licensure Purposes

    s3:ListBucket

    Allows Red Canary to List S3 Buckets for Licensure Purposes

    The permissions below are needed for the Cloudtrail integration:

    Service

    Permission

    Justification

    S3

    ListBucket

    Allows Red Canary to look at Cloudtrail information stored in S3

    GetObject

    Allows Red Canary to fetch Cloudtrail Log Files

    GetObjectAttributes

    Allows Red Canary to look at extended attributes of the Log Files to enable processing

    GetObjectVersion

    Allows Red Canary to look at the versions of the Log Files to enable processing

    SNS

    Subscribe

    Allows Red Canary to subscribe an SQS Queue so that when files are added to the Cloudtrail S3 bucket, we are notified and can download that new information

    KMS

    Decrypt

    Allows Red Canary to decrypt Cloudtrail logs from S3 (if you use KMS)

    DescribeKey

    Allows Red Canary access to the Key for decrypting logs from S3

    We also ask for the following roles for the Red Canary Partner Access Role:

    Role

    Description

    AmazonGuardDutyReadOnlyAccess

    Allows Red Canary to Poll GuardDuty Findings for ingestion and investigation

    AWSOrganizationsReadOnlyAccess

    Allows Red Canary to read information about your AWS Organization to help enumerate accounts

    Do I need to have GuardDuty enabled?

    Important Cost Information

    Before enabling GuardDuty, it’s essential to understand that it is a paid service that monitors for malicious activity and unauthorized behavior to protect your AWS resources. The service charges are based on the volume of AWS data it analyzes, such as logs and events. Ensure you review the pricing details on the GuardDuty page to understand the cost implications and budget accordingly before activation.

    Red Canary strongly recommends turning on AWS GuardDuty. GuardDuty is a powerful ally that bolsters your security posture. It helps correlate and enrich the telemetry data we’re already analyzing with CloudTrail. By enabling GuardDuty, you're not just collecting data but empowering our systems to deliver deeper insights and more comprehensive security analysis.

    GuardDuty and CloudTrail create a dynamic duo for Red Canary, enhancing our ability to detect and respond to potential threats more swiftly and effectively.

    Finally, GuardDuty acts as an extra layer of intelligence, providing context to the footage by correlating different data points and highlighting activities that require closer inspection. Red Canary will be able to review what has been recorded while also understanding the bigger picture and respond more effectively to security incidents.

    Is the 'rc-partner-access-control' role required for the CloudTrail integration, and what is its purpose?

    The 'rc-partner-access-control' role is not required for the CloudTrail integration, but it is critical to scan the environment to obtain resource counts for the license usage page.

    Does the 'rc-partner-access-control' role need to be deployed to all AWS accounts, and how should it be configured in the system?

    Yes. You must deploy the 'rc-partner-access-control' role to all AWS accounts for full coverage. This action enables Red Canary to fetch GuardDuty alerts from each account. This role is deployed to all accounts you want Red Canary to monitor. We suggest using CloudFormation to automate this deployment. Enter any IAM role ARN from one of the accounts in the configuration box. However, the account number may vary, and the role name remains consistent across all AWS accounts in your organization.

    Can I use my current setup that stores GuardDuty logs in an S3 bucket for the GuardDuty integration?

    Red Canary’s integration does not support fetching GuardDuty alerts from S3 buckets. We use polling via Security Token Service (STS), assuming the API role from the account was deployed using a CloudFormation StackSet or Terraform template. This method necessitates deploying the role in each account, as we use the same pattern to access accounts for Resource Scanning and GuardDuty.

    If I already have access control lists (ACL) enabled, what must I do and how?

    You’ll need to access the ACL and turn off everything other than the Bucket Owner Checks. Otherwise the following error may be thrown when turning off the bucket ownership:

    As demonstrated in the image below, this is what the ACL should look like before we go back to Object Ownership and try to disable the object ACL:

    What are some common issues with the AWS Cloudformation stack set and deploying the CloudFormation template?

    By default, the management account will not have the stack set applied. For more information, see Working with AWS CloudFormation StackSets.

    Note: The rc-partner-access-role won’t appear on this account. However, you can force it by including the account name during the stack set account creation, which shows up only if you select the self-service permissions.

    Instead of creating individual Amazon GuardDuty integrations, can I make a unified AWS CloudTrail and GuardDuty integration?

    Yes! You can integrate AWS CloudTrail and GuardDuty at the same time. If you previously integrated Guard Duty with Red Canary, you can decommission this and use the new unified integration.


    Was this article helpful?