Configure AWS for Arctic Wolf CSPM manually

You can manually configure Amazon Web Services (AWS)® for Arctic Wolf® Cloud Security Posture Management (CSPM).

These resources are required:

  • Access to the AWS IAM console

Enable Security Token Service

To make sure you have the correct credentials, enable AWS Security Token Service (STS) for each AWS account that you want to monitor.

For each AWS account that you want to monitor, do these steps:
  1. Sign in to the AWS IAM console.
  2. In the navigation menu, click Account settings.
  3. In the Security Token Service (STS) section, under Endpoints, find your AWS region and select Active.
    Note: You can find your AWS region in the Provider Region field on the Arctic Wolf Unified Portal allowlist page.
  4. Click Activate.

Determine the Arctic Wolf AWS account ID

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Resources > Allowlist Requirements.
  3. In the Cloud Infrastructure Scans section, in the AWS row, copy the Account ID, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

Create a new IAM role

  1. Sign in to the AWS IAM console.
  2. In the navigation menu, click Roles.
  3. Click Create role.
  4. Select AWS account.
  5. Select Another AWS account.
  6. In the Account ID field, enter the Arctic Wolf AWS account ID from Determine the Arctic Wolf AWS account ID.
  7. Click Require external ID.
  8. In the External ID field, enter your 12-digit AWS account ID.
    Note:

    Do not select Require MFA.

  9. Click Next.
  10. In the search bar, enter SecurityAudit.
  11. In the search results, select the SecurityAudit policy checkbox.

    This policy includes a minimal set of read-only privileges that are required to perform a security audit of the account.

  12. Click Next.
  13. In the Role name field, enter AWNSecurityAuditRole.
    Tip:

    This is the default role name value that Arctic Wolf looks for.

  14. Optional: In the Description field, and enter a description for the role.
  15. Click Create role.
  16. Click Roles > AWNSecurityAuditRole.
  17. Copy the Role ARN, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

Create a policy

  1. Sign in to the AWS IAM console.
  2. Click Roles > AWNSecurityAuditRole.
  3. Click Add permissions > Create inline policy.
  4. Click Choose a Service.
  5. In the search bar, enter SES.
  6. Select SES from the search results.
  7. In the Actions section, in the Specify the actions allowed in SES search bar, enter DescribeActiveReceiptRuleSet.
  8. In the search results, select the DescribeActiveReceiptRuleSet checkbox.
  9. Select Add more permissions.
  10. In the search bar, enter EC2.
  11. In the search results, select EC2.
  12. In the Actions section, in the Specify the actions allowed in EC2 search bar, enter GetEbsDefaultKmsKeyId.
  13. In the search results, select the GetEbsDefaultKmsKeyId checkbox.
    Tip:

    Based on your environment settings, you can search for and select other conditions.

  14. Click Next.
  15. In the Policy name field, enter a name for your policy.
  16. Click Create Policy.

Provide your AWS cloud credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Scanners.
  3. Click + Add Account.
  4. Click AWS.
  5. Click Next: Add Account Information.
  6. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Account ID — Enter the 12-digit AWS account number. For example, 123456789012.
    • Role ARN — Enter the role ARN from Create a new IAM role. The account number in the role should match the Account ID. For example, arn:aws:iam::123456789012:role/cspm-role.
  7. Click Submit.
    A ticket is created so that your Concierge Security® Team (CST) can finalize the configuration of the account. At any time, you can click Tickets & Alerts to view the status of your ticket in the Unified Portal.