Log in to Cloud Security portal using your credentials : https://acs-us.clouddefenseai.com/ 
- Using CloudFormation Template
Prerequisites:
- Make sure the AWS IAM user you'll use to create the CloudFormation Stack has the following permissions attached - AmazonSNSFullAccess, AWSCloudFormationFullAccess and IAMFullAccess.
Start with giving it a name. You can give any name for your account. Labels help you to identify the account. Some examples of labels are: US PROD, Dev server, etc.
Give your organization a name. An organization is where you can add multiple AWS accounts.
This is where you need to decide on the policies. You will see 3 checkboxes there:
- Minimum required policy: This is the minimum required policy (read-only) we would need to evaluate your resources. We will attach SecurityAudit, AWSSSODirectoryReadOnly policy to get information about your cloud users, policies, resources, and their configurations and Identity store data. This helps us to provide you with CSPM, Compliance, CIEM, Attack-Path-Graph, and more. To check what actions can be performed by CloudDefense if this policy is attached, Click here
- Required permissions for Workload Scan: Below is the list of required permissions. A custom policy having these actions will be attached to CloudFormation Stack.
- ec2:DetachVolume, ec2:DeleteVolume, ec2:AttachVolume, ec2:DescribeSnapshots, ec2:DescribeImages, ec2:DescribeInstances, ec2:TerminateInstances, ec2:CreateTags, ec2:CreateImage, ec2:RunInstances, ec2:DescribeInstanceStatus, ec2:DescribeInstanceAttribute, ec2:DescribeVolumes, ec2:CreateSnapshot, ec2:DeleteSnapshot, ec2:DeregisterImage, ec2:DescribeInstanceTypeOfferings, iam:CreateInstanceProfile, iam:DeleteInstanceProfile, iam:GetInstanceProfile, iam:GetRole, iam:CreateRole, iam:AttachRolePolicy, iam:DeleteRole, iam:AddRoleToInstanceProfile, iam:RemoveRoleFromInstanceProfile, iam:DetachRolePolicy, iam:PassRole, ssm:SendCommand, ssm:StartSession, ssm:CancelCommand, ssm:ListCommandInvocations, ssm:TerminateSession, ssm:GetCommandInvocation, rds:CreateDBInstance, rds:DescribeDBInstances, rds:CreateDBSnapshot, rds:CreateDBClusterSnapshot, rds:DeleteDBSnapshot, rds:DeleteDBClusterSnapshot, rds:DescribeDBSnapshots, rds:DescribeDBClusterSnapshots, rds:RestoreDBInstanceFromDBSnapshot, rds:RestoreDBClusterFromSnapshot, rds:ModifyDBInstance, rds:ModifyDBCluster, rds:DeleteDBInstance, rds:DeleteDBCluster, rds:DescribeDBClusters, ec2:CreateSecurityGroup, ec2:DescribeSecurityGroups, ec2:DeleteSecurityGroup, ec2:AuthorizeSecurityGroupIngress, dynamodb:ListTables, dynamodb:Scan, dynamodb:CreateBackup, dynamodb:DescribeBackup, dynamodb:RestoreTableFromBackup, dynamodb:DeleteTable, dynamodb:DeleteBackup, dynamodb:DescribeTable, dynamodb:Query, dynamodb:ListBackups, dynamodb:UpdateTable, dynamodb:UpdateItem, dynamodb:PutItem, dynamodb:GetItem, dynamodb:DeleteItem, dynamodb:BatchWriteItem, ec2:DescribeImages, ebs:ListSnapshotBlocks, ebs:GetSnapshotBlock
- ec2:DetachVolume, ec2:DeleteVolume, ec2:AttachVolume, ec2:DescribeSnapshots, ec2:DescribeImages, ec2:DescribeInstances, ec2:TerminateInstances, ec2:CreateTags, ec2:CreateImage, ec2:RunInstances, ec2:DescribeInstanceStatus, ec2:DescribeInstanceAttribute, ec2:DescribeVolumes, ec2:CreateSnapshot, ec2:DeleteSnapshot, ec2:DeregisterImage, ec2:DescribeInstanceTypeOfferings, iam:CreateInstanceProfile, iam:DeleteInstanceProfile, iam:GetInstanceProfile, iam:GetRole, iam:CreateRole, iam:AttachRolePolicy, iam:DeleteRole, iam:AddRoleToInstanceProfile, iam:RemoveRoleFromInstanceProfile, iam:DetachRolePolicy, iam:PassRole, ssm:SendCommand, ssm:StartSession, ssm:CancelCommand, ssm:ListCommandInvocations, ssm:TerminateSession, ssm:GetCommandInvocation, rds:CreateDBInstance, rds:DescribeDBInstances, rds:CreateDBSnapshot, rds:CreateDBClusterSnapshot, rds:DeleteDBSnapshot, rds:DeleteDBClusterSnapshot, rds:DescribeDBSnapshots, rds:DescribeDBClusterSnapshots, rds:RestoreDBInstanceFromDBSnapshot, rds:RestoreDBClusterFromSnapshot, rds:ModifyDBInstance, rds:ModifyDBCluster, rds:DeleteDBInstance, rds:DeleteDBCluster, rds:DescribeDBClusters, ec2:CreateSecurityGroup, ec2:DescribeSecurityGroups, ec2:DeleteSecurityGroup, ec2:AuthorizeSecurityGroupIngress, dynamodb:ListTables, dynamodb:Scan, dynamodb:CreateBackup, dynamodb:DescribeBackup, dynamodb:RestoreTableFromBackup, dynamodb:DeleteTable, dynamodb:DeleteBackup, dynamodb:DescribeTable, dynamodb:Query, dynamodb:ListBackups, dynamodb:UpdateTable, dynamodb:UpdateItem, dynamodb:PutItem, dynamodb:GetItem, dynamodb:DeleteItem, dynamodb:BatchWriteItem, ec2:DescribeImages, ebs:ListSnapshotBlocks, ebs:GetSnapshotBlock
- Required policy for Agentless Cloud Threat Detection: CloudDefense.AI uses AmazonS3ReadOnlyAccess which enables us to detect threats and anomalies in near real-time in your cloud environment without the installation of agents. To enable this feature check this box. To check what actions can be performed by CloudDefense if this policy is attached Click here
We will only scan the regions that you choose here. You can choose any specific region or all regions. This selection can be changed later.
Please review the details of the generated CloudFormation policy by clicking on the hyperlink on this page.
On the AWS screen, follow the steps to finishing adding CloudFormation policy:
- Click check box “I acknowledge that AWS CloudFormation might create IAM resources with custom names.“(Refer to image below)
- Click Create Stack button. (Refer to image below)
AWS Resource Creation while onboarding
As part of the onboarding process with CloudDefense.AI, the following AWS resources will be created in your AWS account to enable real-time monitoring and integration with CloudDefense.AI:
Resources to Be Created:
S3 Log Bucket:
An S3 bucket will be created to store all CloudTrail logs. This bucket will serve as the centralized storage location for all AWS account activity and management events.
Log Bucket Policy:
A policy will be attached to the S3 log bucket, defining the access permissions needed for CloudTrail, Lambda, and other resources to read or write logs.
CloudTrail:
CloudTrail will be configured to capture all management events across your AWS account. These logs will be delivered to the S3 log bucket, allowing us to track and monitor all actions taken by AWS services.
Lambda Function:
A Lambda function will be created to process log files stored in the S3 log bucket. This function will be responsible for reading and sending logs to CloudDefense.AI for further analysis.
Lambda Execution Role:
An IAM role will be created and assigned to the Lambda function to grant the necessary permissions for log file access and execution.
Role to Invoke Scheduler:
A separate IAM role will be created to allow the scheduler to invoke the Lambda function.
Scheduler:
A scheduler (such as an AWS EventBridge rule or CloudWatch Event) will be set up to periodically trigger the Lambda function. This will ensure timely processing and transmission of log data.
Permissions to Invoke Lambda:
Additional permissions will be configured to allow the scheduler to invoke the Lambda function and to enable the Lambda function to access the S3 log bucket.
9. EventBridge IAM Role:
This IAM role will be created to enable communication between your AWS environment and CloudDefense.AI. The role will notify CloudDefense.AI when all the necessary resources are successfully created in your AWS environment. This ensures that the onboarding process is complete and that the monitoring setup is ready to function.
A dedicated IAM role will be created to allow CloudDefense.AI to retrieve metadata from your cloud services. This role is essential for continuous monitoring and allows CloudDefense.AI to gather the necessary details about your cloud resources (such as EC2 instances, S3 buckets, RDS instances, etc.) to provide comprehensive security insights and recommendations.
Workflow Overview:
CloudTrail: Captures all management events within your AWS account and delivers them to the S3 log bucket.
Scheduler: Periodically invokes the Lambda function to process the logs.
Lambda Function: Reads the log files from the S3 log bucket and sends them to CloudDefense.AI using GCP Pub/Sub, which is set up on our side to receive the data.
IAM Roles and Permissions: Ensure that the Lambda function has the required permissions to read from the log bucket and that the scheduler has the correct permissions to invoke the Lambda function.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article