AWS CSPM Terraform Configuration

Configuration Guide

Updated May 26, 2023

AWS CSPM Terraform Configuration

Configure AWS cloud monitoring with Terraform Direct link to this section

You can configure scanning for your AWS cloud environment configurations using Terraform. Cloud scans are part of your Cloud Security Posture Management (CSPM) service.

Note: This page details how to configure CSPM using a Terraform script. For instructions on how to configure it manually, see AWS Cloud Environment Scanning.

Requirements Direct link to this section

Before you begin Direct link to this section

Steps Direct link to this section

  1. Configure IAM user permissions
    1. Create an IAM policy
    2. Create a new IAM user
    3. Create an access key
    4. Configure the AWS CLI
  2. Configure the CSPM Terraform script
  3. Provide credentials to Arctic Wolf

Step 1a: Create an IAM policy Direct link to this section

Terraform needs permissions to create, update, and delete various AWS resources.

  1. In the AWS IAM console, click Policies.
  2. Click Create policy.
  3. Select JSON and add the following values to the Statement array: 
        "Statement": [
      {
        "Sid": "CustomPolicyForACGAWSTFCourse",
        "Action": [
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:CreatePolicy",
        "iam:CreateRole",
        "iam:TagRole",
        "iam:GetRole",
        "iam:ListRolePolicies",
        "iam:ListAttachedRolePolicies",
        "iam:ListInstanceProfilesForRole",
        "iam:DeleteRole",
        "iam:DeletePolicy",
        "iam:AttachRolePolicy"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
    ]
  4. Click Next: Tags.
  5. (Optional) Add any tags you want associated with the policy.
  6. Click Next: Review.
  7. Click Create Policy.

Step 1b: Create a new IAM user Direct link to this section

Note: You can use an existing IAM user and attach the policy that you created in Create an IAM policy. However, Arctic Wolf suggests creating a new IAM user to ensure that Terraform only the permissions needed to configure CSPM.

  1. In the AWS IAM console, click Add users to create a new IAM user.
  2. Enter a name for the IAM user.
  3. Click Next.
  4. Select Attach policies directly and choose the policy that you created in Create an IAM policy.
  5. Click Next.
  6. Click Create user.

Step 1c: Create an access key Direct link to this section

  1. In the AWS IAM console, click Users.
  2. Click the gear icon.
  3. Ensure that Access ID is toggled on.
  4. Navigate back to the Users page and click the user you just created.
  5. Select Security credentials.
  6. In the Access keys section, click Create access key.
  7. Select Command Line Interface (CLI).
  8. Select I understand the above recommendation and want to proceed to create an access key.
  9. Click Next.
  10. Enter a description for the access key.
  11. Click Create access key.
  12. Copy the access key and the secret access key for later use in Configure the CSPM Terraform script.

Note: You cannot view the access keys again once you leave this screen.

Step 1d: Configure the AWS CLI Direct link to this section

  1. In your terminal, run: 
    aws configure
  2. In the AWS Access Key ID field, enter your access key ID.
  3. In the AWS Secret Access Key field, enter your secret access key.

    Note: You do not need to fill in the Default region name or Default output format fields.

Step 2: Configure the CSPM Terraform script Direct link to this section

Note: Repeat these steps for each AWS account that you want CSPM to scan.

  1. Navigate to the folder where you extracted the Arctic Wolf Terraform script.
  2. In a text editor, open the file terraform.tfvars.
  3. In the following line, replace the value with the AWS account ID that will be scanned:
aws-account-id = "123456789012"
  1. In the following line, replace the value with the Arctic Wolf account ID:

    Tip: To determine the correct Arctic Wolf AWS account ID needed to create a new Identity and Access Management (IAM) role, go to the Arctic Wolf Portal, and then click MyAccount > Arctic Wolf IP Addresses. The AWS account ID is listed under CSPM AWS Account ID.

awn-account = "123456789012"
  1. Open a terminal and navigate to the Terraform directory.
  2. Initialize Terraform: 
    terraform init
  3. Run the following commands to confirm that the module has been properly implemented:
terraform validate
terraform plan
terraform apply

Step 3: Provide credentials to Arctic Wolf Direct link to this section

Note: Repeat these steps for each AWS account that you want CSPM to scan.

  1. Sign in to the Arctic Wolf Portal.

  2. In the navigation menu, click Connected Accounts to open the Connected Accounts page.

  3. Click +Add Account to open the Add Account form.

  4. Select Cloud Security Posture Management as the Account Type.

  5. Click AWS, and then fill in the form:

    • Account Name — Enter a unique name for this cloud account.
    • Account ID — Enter your AWS account ID.
    • Role ARN — Enter the following, where <aws_account> is your AWS account ID: 
      arn:aws:iam::<aws_account>:role/AWNCSPMTrustRole

  6. Click Submit to CST.

  7. When prompted with the confirmation message, review your submission, and then click Done.

    You are returned to the Connected Accounts page.

  8. Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.

After your Concierge Security® Team adds this account to your scan configuration, the status of your credentials changes to Connected.

Manage your Terraform CSPM configuration Direct link to this section

These are different tasks you can perform to manage and alter your Terraform CSPM configuration after it has been set up:

Enable Terraform debugging Direct link to this section

To troubleshoot potential issues with the Terraform configuration, debug logging must be configured and enabled.

  1. If you don’t suspect an existing configuration to be present, set up the log level: 
    export TF_LOG="DEBUG"
  2. Verify the log level: 
    echo $TF_LOG
  3. Set up the log path: 
    export TF__LOG_PATH="./example/"
  4. Verify the logs generated by Terraform: 
    terraform apply
  5. Verify that the debug logs are available at the path that you set earlier.

Remove your Terraform configuration Direct link to this section

Note: This may remove other Terraform configurations in your environment as well.

See also Direct link to this section