Configure AWS for Arctic Wolf CSPM using CLI

You can configure Amazon Web Services (AWS)® for Arctic Wolf® Cloud Security Posture Management (CSPM) using CLI.

These resources are required:

Enable Security Token Service

To make sure you have the correct credentials, enable AWS Security Token Service (STS) for each AWS account that you want to monitor.

For each AWS account that you want to monitor, do these steps:
  1. Sign in to the AWS IAM console.
  2. In the navigation menu, click Account settings.
  3. In the Security Token Service (STS) section, under Endpoints, find your AWS region and select Active.
    Note: You can find your AWS region in the Provider Region field on the Arctic Wolf Unified Portal allowlist page.
  4. Click Activate.

Determine the Arctic Wolf AWS account ID

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Resources > Allowlist Requirements.
  3. In the Cloud Infrastructure Scans section, in the AWS row, copy the Account ID, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

Create the AWS roles and policies

  1. In your browser, open AWS CloudShell.
  2. Run this command to create the AWN Custom Policy:
    SHELL 
    aws iam create-policy --policy-name AWNCustomPolicy --policy-document '{ "Version": "2012-10-17",
"Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ses:DescribeActiveReceiptRuleSet", "ec2:GetEbsDefaultKmsKeyId" ], "Resource": "*" } ] }'
  3. Run this command to create the AWN Security Audit Role.
    SHELL 
    aws iam create-role --role-name AWNSecurityAuditRole --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWaccount_id>:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<your_account_id>" } } } ] }'

    Where:

    • aw_account_id is the Arctic Wolf AWS account ID.
    • your_account_id is your AWS account ID.
  4. Run this command to get the ARN of the AWN Custom Policy:
    SHELL 
    custom_role_policy_arn=$(aws iam list-policies --query "Policies[?PolicyName=='AWNCustomPolicy'].Arn" --output text)
  5. Run this command to get the ARN of the Security Audit Policy:
    SHELL 
    audit_role_policy_arn=$(aws iam list-policies --query "Policies[?PolicyName=='SecurityAudit'].Arn" --output text)
  6. Run these commands to attach policies to the AWN Security Audit Role:
    SHELL 
    aws iam attach-role-policy --role-name AWNSecurityAuditRole --policy-arn $custom_role_policy_arn
    SHELL 
    aws iam attach-role-policy --role-name AWNSecurityAuditRole --policy-arn $audit_role_policy_arn

Provide your AWS credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Scanners.
  3. Click + Add Account.
  4. Click AWS.
  5. Click Next: Add Account Information.
  6. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Account ID — Enter the 12-digit AWS account number. For example, 123456789012.
    • Role ARN — Enter the role ARN. The account number in the role should match the Account ID. For example, arn:aws:iam::123456789012:role/cspm-role.
  7. Click Submit.
    A ticket is created so that your Concierge Security® Team (CST) can finalize the configuration of the account. At any time, you can click Tickets & Alerts to view the status of your ticket in the Unified Portal.