AWS CSPM Terraform Configuration
Configure AWS cloud monitoring with Terraform Direct link to this section
You can configure scanning for your AWS cloud environment configurations using Terraform. Cloud scans are part of your Cloud Security Posture Management (CSPM) service.
Note: This page details how to configure CSPM using a Terraform script. For instructions on how to configure it manually, see AWS Cloud Environment Scanning.
Requirements Direct link to this section
- A valid Arctic Wolf® Managed Risk license
- The following tools, which are automatically configured during installation:
- Terraform binary version 1.3.7 or newer
Tip: Run
terraform version
to verify your existing Terraform version. - AWS CLI
- CSPM AWS Terraform script
- Terraform binary version 1.3.7 or newer
Before you begin Direct link to this section
- Obtain the Arctic Wolf AWS Account ID. To view this value, go to the Arctic Wolf Portal, and then click My Account > Arctic Wolf IP Addresses. The AWS account ID is listed under CSPM AWS Account ID.
Steps Direct link to this section
- Configure IAM user permissions
- Configure the CSPM Terraform script
- Provide credentials to Arctic Wolf
Step 1a: Create an IAM policy Direct link to this section
Terraform needs permissions to create, update, and delete various AWS resources.
- In the AWS IAM console, click Policies.
- Click Create policy.
- Select JSON and add the following values to the
Statement
array:"Statement": [ { "Sid": "CustomPolicyForACGAWSTFCourse", "Action": [ "iam:GetPolicy", "iam:GetPolicyVersion", "iam:CreatePolicy", "iam:CreateRole", "iam:TagRole", "iam:GetRole", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:DeleteRole", "iam:DeletePolicy", "iam:AttachRolePolicy" ], "Effect": "Allow", "Resource": "*" } ]
- Click Next: Tags.
- (Optional) Add any tags you want associated with the policy.
- Click Next: Review.
- Click Create Policy.
Step 1b: Create a new IAM user Direct link to this section
Note: You can use an existing IAM user and attach the policy that you created in Create an IAM policy. However, Arctic Wolf suggests creating a new IAM user to ensure that Terraform only the permissions needed to configure CSPM.
- In the AWS IAM console, click Add users to create a new IAM user.
- Enter a name for the IAM user.
- Click Next.
- Select Attach policies directly and choose the policy that you created in Create an IAM policy.
- Click Next.
- Click Create user.
Step 1c: Create an access key Direct link to this section
- In the AWS IAM console, click Users.
- Click the gear icon.
- Ensure that Access ID is toggled on.
- Navigate back to the Users page and click the user you just created.
- Select Security credentials.
- In the Access keys section, click Create access key.
- Select Command Line Interface (CLI).
- Select I understand the above recommendation and want to proceed to create an access key.
- Click Next.
- Enter a description for the access key.
- Click Create access key.
- Copy the access key and the secret access key for later use in Configure the CSPM Terraform script.
Note: You cannot view the access keys again once you leave this screen.
Step 1d: Configure the AWS CLI Direct link to this section
- In your terminal, run:
aws configure
- In the AWS Access Key ID field, enter your access key ID.
- In the AWS Secret Access Key field, enter your secret access key.
Note: You do not need to fill in the Default region name or Default output format fields.
Step 2: Configure the CSPM Terraform script Direct link to this section
Note: Repeat these steps for each AWS account that you want CSPM to scan.
- Navigate to the folder where you extracted the Arctic Wolf Terraform script.
- In a text editor, open the file
terraform.tfvars
. - In the following line, replace the value with the AWS account ID that will be scanned:
aws-account-id = "123456789012"
- In the following line, replace the value with the Arctic Wolf account ID:
Tip: To determine the correct Arctic Wolf AWS account ID needed to create a new Identity and Access Management (IAM) role, go to the Arctic Wolf Portal, and then click MyAccount > Arctic Wolf IP Addresses. The AWS account ID is listed under CSPM AWS Account ID.
awn-account = "123456789012"
- Open a terminal and navigate to the Terraform directory.
- Initialize Terraform:
terraform init
- Run the following commands to confirm that the module has been properly implemented:
terraform validate
terraform plan
terraform apply
Step 3: Provide credentials to Arctic Wolf Direct link to this section
Note: Repeat these steps for each AWS account that you want CSPM to scan.
-
Sign in to the Arctic Wolf Portal.
-
In the navigation menu, click Connected Accounts to open the Connected Accounts page.
-
Click +Add Account to open the Add Account form.
-
Select Cloud Security Posture Management as the Account Type.
-
Click AWS, and then fill in the form:
- Account Name — Enter a unique name for this cloud account.
- Account ID — Enter your AWS account ID.
- Role ARN — Enter the following, where
<aws_account>
is your AWS account ID:arn:aws:iam::<aws_account>:role/AWNCSPMTrustRole
-
Click Submit to CST.
-
When prompted with the confirmation message, review your submission, and then click Done.
You are returned to the Connected Accounts page.
-
Verify that the newly-submitted credential entry appears in the cloud services list with the status Connection Pending.
After your Concierge Security® Team adds this account to your scan configuration, the status of your credentials changes to Connected.
Manage your Terraform CSPM configuration Direct link to this section
These are different tasks you can perform to manage and alter your Terraform CSPM configuration after it has been set up:
Enable Terraform debugging Direct link to this section
To troubleshoot potential issues with the Terraform configuration, debug logging must be configured and enabled.
- If you don’t suspect an existing configuration to be present, set up the log level:
export TF_LOG="DEBUG"
- Verify the log level:
echo $TF_LOG
- Set up the log path:
export TF__LOG_PATH="./example/"
- Verify the logs generated by Terraform:
terraform apply
- Verify that the debug logs are available at the path that you set earlier.
Remove your Terraform configuration Direct link to this section
Note: This may remove other Terraform configurations in your environment as well.
- If you need to remove your Terraform configuration, run
terraform destroy
in the CLI.