AWS Cloud Environment Scanning

Configuration Guide

Updated Jan 31, 2023

AWS Cloud Environment Scanning

AWS cloud environment scanning Direct link to this section

If you are either an Arctic Wolf® Managed Risk customer, or you are both a Managed Risk and a Managed Detection and Response customer, you can configure scanning for your Amazon Web Services (AWS) cloud environment configurations to improve your Cloud Security Posture Management (CSPM).

Configure AWS cloud monitoring Direct link to this section

  1. Determine the Arctic Wolf AWS account ID
  2. Create a new IAM role
  3. Create a policy
  4. Add IAM identity permissions
  5. Provide credentials to Arctic Wolf

Step 1: Determine the Arctic Wolf AWS account ID Direct link to this section

To determine the correct Arctic Wolf AWS account ID needed to create a new Identity and Access Management (IAM) role:

  1. Open this link to the Arctic Wolf Portal.
  2. Make note of the AWS Account ID value.

Step 2: Create a new IAM role Direct link to this section

  1. Open the AWS IAM console.

  2. Select Roles.

  3. Select Create role to create a new IAM role.

  4. Select Another AWS account.

  5. In to the Account ID field, copy and paste the Arctic Wolf AWS Account ID from Determine the Arctic Wolf AWS Account ID.

  6. Select Require external ID.

  7. In the External ID text box, enter your 12-digit AWS account ID.

    Note: Do not select Require MFA.

  8. Click Next: Permissions.

  9. Select SecurityAudit as the Policy.

    This policy includes a minimal set of read-only privileges that are required to perform a security audit of the account.

  10. For the Role name, enter AWNSecurityAuditRole, and enter a description for the role if desired.

    Tip: This is the default role name value that Arctic Wolf looks for.

  11. Click Create role.

  12. Click Roles > AWNSecurityAuditRole.

  13. Make note of the provided Role ARN for use in Provide credentials to Arctic Wolf.

Step 3: Create a policy Direct link to this section

  1. Open the AWS IAM console.

  2. Click Roles > AWNSecurityAuditRole to open the role that you just created.

  3. Click Add permissions > Create inline policy.

  4. In the new window, select Choose a Service.

  5. Type SES in the search bar.

  6. Select SES from the search results.

  7. In the Actions section, enter DescribeActiveReceiptRuleSet in the Specify the actions allowed in SES search bar.

  8. Select the DescribeActiveReceiptRuleSet checkbox from the search results.

    Tip: Depending on your environment settings, you can search for and select other conditions, as desired.

  9. Select Next:Tags > Next:Review

  10. Enter a name for your policy, and optionally enter a description.

  11. Review the change summary and, if you are satisfied, select Create Policy.

Step 4: Add IAM identity permissions Direct link to this section

  1. Open the AWS IAM console.
  2. Click Roles > AWNSecurityAuditRole to modify the role that you created.
  3. Below the Summary section, select Attach Policies.
  4. Under Attach Permissions, select the policy that you created in Create a policy.

Step 5: Provide credentials to Arctic Wolf Direct link to this section

  1. Sign in to the Arctic Wolf Portal.

  2. Select Connected Accounts in the banner menu to open the Connected Accounts page.

    Connected Accounts menu

  3. Select +Add Account to open the Add Account form.

  4. Select Cloud Security Posture Management as the Account Type.

  5. Select AWS, and then fill in the form:

    1. Account Name — Enter a unique name for this cloud account.
    2. Account ID — Enter your AWS account ID.
    3. Role ARN — Enter the Role ARN value obtained in Create a new IAM role.
  6. Select Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then select Done. You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team adds this account to your scan configuration, the status of your credentials changes to Connected.

See also Direct link to this section