AWS Account Credentials
Updated Sep 27, 2023AWS account credentials
Arctic Wolf® uses your Amazon Web Services® (AWS) credentials to monitor your AWS accounts for suspicious or malicious activity. See AWS Permissions Granted to Arctic Wolf for more information on what Arctic Wolf monitors in your AWS account.
An AWS account number is a 12-digit ID that provides unique identification to an AWS account. To monitor your accounts, you must provide your AWS account numbers to your Concierge Security® Team (CST).
To implement monitoring of your AWS accounts, you must have access to these portals:
- AWS Management Console
- Arctic Wolf Portal
Note: This is a required AWS configuration for Arctic Wolf to monitor AWS accounts. See Configure AWS Account Monitoring for all configuration steps.
Once you provide your account numbers to your CST on the Arctic Wolf Portal, they will confirm that your AWS accounts are authorized to send data. After confirmation, you can configure your AWS accounts to send CloudTrail events to the Arctic Wolf infrastructure. Arctic Wolf monitors these CloudTrail events to detect and respond to threats.
Multiple AWS accounts
If you have multiple AWS accounts that you want Arctic Wolf to monitor:
-
Arctic Wolf recommends using AWS Organizations or AWS Control Tower to aggregate all logs to a single logging account. You can then provide this logging account number as part of Obtain the AWS account number.
Tip: If you already configured monitoring for separate AWS accounts, and then recently moved your accounts to a single logging account, you must update your stacks and delete Arctic Wolf stacks from any accounts that are part of the new logging account. See Update AWS CloudFormation Stacks for more information.
-
If you do not use AWS Organizations or AWS Control Tower, you must provide the account number for each AWS account that you want Arctic Wolf to monitor. Arctic Wolf recommends providing all AWS account numbers to ensure that your CST has the best possible coverage of your AWS infrastructure.
Provide AWS account credentials to Arctic Wolf
Repeat these procedures for each AWS account that you want Arctic Wolf to monitor. For more information on monitoring multiple accounts, see Multiple AWS accounts.
Step 1: Obtain your AWS account number
-
Sign in to the AWS Management console.
-
In the menu bar, click Support > Support Center.
-
Locate your Account Number.
-
Copy the Account Number value, and then paste it in a temporary text file.
Step 2: Provide credentials to Arctic Wolf
Repeat these steps for each AWS account that you must configure:
-
Sign in to the Arctic Wolf Unified Portal.
-
In the menu bar, click Telemetry Management > Connected Accounts.
-
Click Add Account +.
-
On the Add Account page, from the Account Type list, select Cloud Detection and Response.
-
From the list of cloud services, select AWS.
-
On the Add Account page, complete these steps:
- Account Name — Enter a unique and descriptive name for the account.
- In the Account ID field, enter the AWS account number.
- Credential Expiry — (Optional) Enter the expiration date if the credentials have an expiry date.
-
Click Test and Submit Credentials.
After your Concierge Security® Team (CST) enables security monitoring for this account, the connected account status changes to Healthy.
After you register each AWS account ID, you can begin configuring your AWS accounts to send security-related information to Arctic Wolf.
Next steps
Proceed to Configure AWS CloudTrail Event Monitoring to configure your AWS account and send CloudTrail events to Arctic Wolf.
Tip: See Configure AWS Account Monitoring for required and optional AWS configurations.