Configure AWS for Arctic Wolf CSPM using a Terraform script

You can configure Amazon Web Services (AWS)® for Arctic Wolf® Cloud Security Posture Management (CSPM) using a Terraform® script.

Note: Follow these steps only if you are an existing Terraform user. If your organization does not use Terraform or if you have not completed basic Terraform configuration, complete the AWS configuration manually. For more information, see Configure AWS for Arctic Wolf CSPM manually.

These resources are required:

A valid Arctic Wolf® Managed Risk license
These tools, which are automatically configured during installation:
- The latest version of the Terraform binary
  Tip: Run this command to verify your existing Terraform version: terraform version
- AWS CLI

These actions are required:

Download the CSPM AWS Terraform script.

Complete Enable Terraform debugging for AWS.

Enable Security Token Service

To make sure you have the correct credentials, enable AWS Security Token Service (STS) for each AWS account that you want to monitor.

For each AWS account that you want to monitor, do these steps:

Sign in to the AWS IAM console.
In the navigation menu, click Account settings.
In the Security Token Service (STS) section, under Endpoints, find your AWS region and select Active.

Note: You can find your AWS region in the Provider Region field on the Arctic Wolf Unified Portal allowlist page.
Click Activate.

Determine the Arctic Wolf AWS account ID

Sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Resources > Allowlist Requirements.
In the Cloud Infrastructure Scans section, in the AWS row, copy the Account ID, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

Create an IAM policy

Note:

Arctic Wolf suggests creating a new IAM policy to make sure that Terraform has only the permissions needed to configure CSPM. However, if you have an existing IAM policy that allows the actions specified in this procedure, you can proceed to Create an IAM user using your existing policy.

Sign in to the AWS IAM console.
In the Access Management section, click Policies.
Click Create policy.
Select JSON, and then add these values to the Statement array:
SHELL
"Statement": [ { "Sid": "CustomPolicyForACGAWSTFCourse", "Action": [ "iam:GetPolicy", "iam:GetPolicyVersion", "iam:CreatePolicy", "iam:CreateRole", "iam:TagRole", "iam:GetRole", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:AttachRolePolicy" ], "Effect": "Allow", "Resource": "*" } ]
```
"Statement": [
  {
    "Sid": "CustomPolicyForACGAWSTFCourse",
    "Action": [
    "iam:GetPolicy",
    "iam:GetPolicyVersion",
    "iam:CreatePolicy",
    "iam:CreateRole",
    "iam:TagRole",
    "iam:GetRole",
    "iam:ListRolePolicies",
    "iam:ListAttachedRolePolicies",
    "iam:ListInstanceProfilesForRole",
    "iam:AttachRolePolicy"
    ],
    "Effect": "Allow",
    "Resource": "*"
  }
]
```
Click Next.
Enter details about the policy as needed. For example, a description or tags.
Click Create Policy.

Create an IAM user

Note:

Arctic Wolf recommends creating a new IAM user to make sure that Terraform has only the permissions needed to configure CSPM. However, you can use an existing IAM user and attach the new IAM policy you created in Create an IAM policy or use an existing IAM policy that allows the required actions.

Sign in to the AWS IAM console.
In the Access Management section, click Users.
Click Add users.
Enter a name for the IAM user.
Click Next.
Select Attach policies directly, and then select the policy that you created in Create an IAM policy.
Click Next.
Click Create user.

Create an access key

Note: If you used an existing IAM user instead of creating a new one, proceed to Provide credentials to Arctic Wolf.

In the AWS IAM console, click Users.
Click Preferences.
Click the Access key ID toggle to the on position.
Click Confirm.
On the Users page, select the user that you created in Create an IAM user.
Click Security credentials.
In the Access keys section, click Create access key.
Click Command Line Interface (CLI).
Select the I understand the above recommendation and want to proceed to create an access key checkbox.
Click Next.
Enter a description for the access key.
Click Create access key.
Copy the Access Key and Secret Access Key, and then save them to a safe, encrypted location to provide to Arctic Wolf later.

Note: You can not access these keys after you close this screen.

Configure the AWS CLI

Note: If you used an existing IAM user instead of creating a new one, proceed to Provide credentials to Arctic Wolf.

In a terminal, run this command to configure the settings that the AWS CLI uses to interact with AWS:
BASH
aws configure
```
aws configure
```
Configure these settings:
- AWS Access Key ID — Enter your access key ID from Create an access key.
- AWS Secret Access Key — Enter your secret access key from Create an access key.
- Default region name — Keep this field empty.
- Default output format — Keep this field empty.

Configure the CSPM Terraform script

For each AWS account that you want CSPM to scan, complete these steps:

Find the folder where you extracted the Terraform script.
In a text editor, open the terraform.tfvars file.
In the aws-account-id field, replace 123456789012 with the 12-digit ID of the AWS account that you want to scan, found in the IAM console:
BASH
aws-account-id = "123456789012"
```
aws-account-id = "123456789012"
```
In the awn-account field, replace 123456789012 with the Arctic Wolf account ID found in Determine the Arctic Wolf AWS account ID:
BASH
awn-account = "123456789012"
```
awn-account = "123456789012"
```
Open a terminal and navigate to the Terraform directory.
Run this command to initialize Terraform:
BASH
terraform init
```
terraform init
```
Run these commands to confirm that the module is properly implemented:
BASH
terraform validate terraform plan terraform apply
```
terraform validate
terraform plan
terraform apply
```

Provide credentials to Arctic Wolf

For each AWS account that you want CSPM to scan, complete these steps:

Sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Data Collection > Cloud Scanners.
Click + Add Account.
Click AWS.
Click Next: Add Account Information.
Configure these settings:
- Account Name — Enter a unique and descriptive name for the account.
- Account ID — Enter the 12-digit AWS account number. For example, 123456789012.
- Role ARN — Enter the role ARN. The account number in the role should match the Account ID. For example, arn:aws:iam::123456789012:role/cspm-role.
Click Submit.
A ticket is created so that your Concierge Security® Team (CST) can finalize the configuration of the account. At any time, you can click Tickets & Alerts to view the status of your ticket in the Unified Portal.

Delete IAM policies and users

After you provide the AWS account credentials to Arctic Wolf for CSPM scanning, it is best practice to delete the IAM policies and users that Terraform used to create the resources.

Sign in to the AWS IAM console.
If you created a new IAM policy to configure Terraform, delete the IAM policy:
1. In the Access Management section, click Policies.
2. Search for the policy that you created in Step 2: Create an IAM policy, and select it.
3. Click Delete.
4. To confirm deletion, enter the policy name and click Delete.
If you created a new IAM user to configure Terraform, delete the IAM user:
1. In the Access Management section, click Users.
2. Search for the user that you created in Step 3: Create an IAM user, and select it.
3. To confirm deletion, enter the user name and click Delete.
4. Click Delete user.