Configure AWS CloudTrail events for Arctic Wolf monitoring

You can configure AWS CloudTrail® to send the necessary logs to Arctic Wolf® for monitoring security information.

Note:

The AWS CloudTrail service monitors all API calls within an AWS account. You cannot monitor individual AWS instances or assets. When Arctic Wolf monitors an AWS account using the CloudTrail service, we do not ignore cross-organization, shared, or private information.

If you have multiple AWS accounts you want Arctic Wolf to monitor, consider using AWS Organizations® or AWS Control Tower® to aggregate all logs to one logging account. Then, you only need to configure one logging account to connect to the Arctic Wolf cloud monitoring service. Otherwise, you must repeat this configuration process for each AWS account you want Arctic Wolf to monitor. For more information, see AWS Organizations documentation and AWS Control Tower documentation.

This configuration uses AWS Management Console and AWS CloudFormation to create and manage the resources required to send logs. For more information, see AWS permissions granted to Arctic Wolf, AWS Management Console documentation, and AWS CloudFormation documentation.

Note:

Deploying these CloudFormation templates creates resources in your AWS account, and AWS charges you based on resource run time and usage. There is a baseline cost for enabling the service and storing CloudTrail logs in a Simple Storage Service (S3) bucket. For example, an AWS account with multiple active users can generate approximately 250,000 CloudTrail events or more each day. With the single free trail, this level of use adds approximately 10 USD for each AWS account each month in incremental costs.

You can change the CloudFormation settings to reduce AWS costs, such as setting a lower retention period for logs or integrating with a pre-existing trail. For more information, contact your Concierge Security® Team (CST).

These resources are required:

  • Access to the AWS Management Console

  • An Amazon Web Services (AWS)® user or AWS Identity and Access Management (IAM) role with administrator permissions or an equivalent IAM policy. This user must have permissions to create, update, and delete these stacks and dependent resources:

    • CloudFormation stacks

    • CloudTrail trails

    • Amazon CloudWatch Logs log groups

    • IAM roles and managed policies

    • Lambda functions and custom resources

    • Amazon Kinesis Data Firehose delivery streams

    • S3 buckets

    • SNS topics and topic policies

These actions are required:

  • Complete Provide AWS credentials to Arctic Wolf.
  • Obtain the links from the Amazon Web Services (AWS) Monitoring section of the Arctic Wolf Unified Portal.
  • Select a preferred region for AWS monitoring.
    Note:

    Arctic Wolf recommends that you use US West (Oregon) or US East (N. Virginia), known as us-west-2 and us-east-1 respectively, to make sure that all recommended AWS services are available. For more information, see Supported AWS regions.

  • Provide your AWS account numbers in the Arctic Wolf Unified Portal and verify that Arctic Wolf has authorized the accounts for monitoring.

    For more information, see Provide AWS credentials to Arctic Wolf.

Determine your AWS deployment scenario and configure CloudTrail

Configure your AWS CloudTrail monitoring based on your deployment scenario. If you have:

Configure CloudTrail monitoring with no existing trails

  1. Sign in to the AWS Management Console with administrator permissions.
  2. Find the region that you want to deploy the monitoring from.
    1. In the navigation menu, beside your username, click Region.
    2. Select your preferred region.
  3. In the Services menu, in the Management & Governance section, click CloudFormation.
  4. On the CloudFormation page, click Create stack > With new resources (standard).
  5. On the Create stack page, configure these settings:
    • Prepare template — Select Choose an existing template.
    • Template source — Select Amazon S3 URL.
  6. In the Arctic Wolf Unified Portal, in the Amazon Web Services (AWS) Monitoring section, copy the appropriate CloudTrail stack link.
  7. In the Amazon S3 URL field, enter the appropriate CloudTrail stack link.
  8. Click Next.
  9. In the Name field, enter a unique name for your stack. For example, ArcticWolf.
  10. In the Parameter section, keep the CloudTrail field empty.
  11. Click Next.
  12. Optional: On the Configure stack options page, add roles, policies, and other configurations, as desired.
  13. Click Next.
  14. On the Review page, read the Capabilities section.
  15. Select all checkboxes.
    Note: You must select all checkboxes to create the stack correctly.
  16. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5-10 minutes to complete.

  17. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE before proceeding to the next step, to make sure that the CloudFormation stacks were successfully created.
  18. Proceed to Confirm subscription to the Arctic Wolf SNS topic.

Configure CloudTrail monitoring with an existing trail

  1. Sign in to the AWS Management Console with administrator permissions.
  2. Find to the region that you want to deploy the monitoring from.
    1. In the navigation menu, beside your username, click Region.
    2. Select your preferred region.
  3. In the Services menu, in the Management & Governance section, click CloudFormation.
  4. On the CloudFormation page, click Create stack > With new resources (standard).
  5. On the Create stack page, configure these settings:
    • Prepare template — Select Choose an existing template.
    • Template source — Select Amazon S3 URL.
  6. In the Arctic Wolf Unified Portal, in the Amazon Web Services (AWS) Monitoring section, copy the appropriate CloudTrail stack link.
  7. In the Amazon S3 URL field, enter the appropriate CloudTrail stack link.
  8. Click Next.
  9. In the Name field, enter a unique name for your stack. For example, ArcticWolf.
  10. In the Parameter section, in the CloudTrail field, enter the Amazon Resource Name (ARN) of the existing trail that you want to use for Arctic Wolf.
    Note:

    The ARN of the CloudTrail can be found in the CloudTrail console. In the CloudTrail console, select the existing trail that you want to use from the Trail list. Find the path similar to CloudTrail > Trail > arn:aws:cloudtrail:us-east-2:12345678910:trail/nameoftrail. Copy the entire ARN, starting with arn:aws:cloudtrail.

  11. Click Next.
  12. Optional: On the Configure stack options page, add roles, policies, and other configurations, as desired.
  13. Click Next.
  14. On the Review page, read the Capabilities section.
  15. Select all checkboxes.
    Note: You must select all checkboxes to create the stack correctly.
  16. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5-10 minutes to complete.

  17. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE before proceeding to the next step, to make sure that the CloudFormation stacks were successfully created.
  18. Proceed to Confirm subscription to the Arctic Wolf SNS topic.

Configure CloudTrail monitoring with AWS Organizations and no existing trails

  1. Sign in to the AWS Management Console with the Organizations Management Account.
  2. Find to the region that you want to deploy the monitoring from.
    1. In the navigation menu, beside your username, click Region.
    2. Select your preferred region.
  3. In the Services menu, in the Management & Governance section, click CloudFormation.
  4. On the CloudFormation page, click Create stack > With new resources (standard).
  5. On the Create stack page, configure these settings:
    • Prepare template — Select Choose an existing template.
    • Template source — Select Amazon S3 URL.
  6. In the Arctic Wolf Unified Portal, in the Amazon Web Services (AWS) Monitoring section, copy the appropriate CloudTrail stack link.
  7. In the Amazon S3 URL field, enter the appropriate CloudTrail stack link.
  8. Click Next.
  9. In the Name field, enter a unique name for your stack. For example, ArcticWolf.
  10. In the Parameter section, keep the CloudTrail field empty.
  11. Click Next.
  12. Optional: On the Configure stack options page, add roles, policies, and other configurations, as desired.
  13. Click Next.
  14. On the Review page, read the Capabilities section.
  15. Select all checkboxes.
    Note: You must select all checkboxes to create the stack correctly.
  16. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5-10 minutes to complete.

  17. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE before proceeding to the next step, to make sure that the CloudFormation stacks were successfully created.
  18. Sign in to the CloudTrail console.
  19. On the CloudTrail Dashboard, click Trails, click the Arctic Wolf trail name, and then click Edit > Enable for all accounts in my organization.

    All CloudTrail logging for accounts in your organization are delegated to a single trail.

    Note: If this option is grayed out, navigate to the AWS Organizations Console to verify that you are signed in to the Organizations Management Account. You must remove the CloudFormation template from the deployed account and deploy the template while signed in to your Organizations Management Account.
  20. Proceed to Confirm subscription to the Arctic Wolf SNS topic.

Configure CloudTrail monitoring with AWS Organizations and an existing trail

These resources are required:

  1. Sign in to the AWS Management Console with administrator permissions.
  2. Find to the region that you want to deploy the monitoring from.
    1. In the navigation menu, beside your username, click Region.
    2. Select your preferred region.
  3. In the Services menu, in the Management & Governance section, click CloudFormation.
  4. On the CloudFormation page, click Create stack > With new resources (standard).
  5. On the Create stack page, configure these settings:
    • Prepare template — Select Choose an existing template.
    • Template source — Select Amazon S3 URL.
  6. In the Arctic Wolf Unified Portal, in the Amazon Web Services (AWS) Monitoring section, copy the appropriate CloudTrail stack link.
  7. In the Amazon S3 URL field, enter the appropriate CloudTrail stack link.
  8. Click Next.
  9. In the Name field, enter a unique name for your stack. For example, ArcticWolf.
  10. In the Parameter section, in the CloudTrail field, enter the Amazon Resource Name (ARN) of the existing trail that you want to use for Arctic Wolf.
    Note:

    The ARN of the CloudTrail can be found in the CloudTrail console. In the CloudTrail console, select the existing trail that you want to use from the Trail list. Find the path similar to CloudTrail > Trail > arn:aws:cloudtrail:us-east-2:12345678910:trail/nameoftrail. Copy the entire ARN, starting with arn:aws:cloudtrail.

  11. Click Next.
  12. Optional: On the Configure stack options page, add roles, policies, and other configurations, as needed.
  13. Click Next.
  14. On the Review page, read the Capabilities section.
  15. Select all checkboxes.
    Note: You must select all checkboxes to create the stack correctly.
  16. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5-10 minutes to complete.

  17. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE before proceeding to the next step, to make sure that the CloudFormation stacks were successfully created.
  18. Sign in to the CloudTrail console.
  19. On the CloudTrail details page, verify that your CloudTrail configuration shows Log file SSE-KMS encryption: Enabled. The KMS key should be listed immediately below. Verify that the KMS key is located in the current account. If the KMS key used is located in another account, please add this entry to the KMS key policy:
    JSON 
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "kms:Decrypt",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "kms:CallerAccount": "<ACCOUNT ID WITH THE IAM ROLE"
            },
            "StringLike": {
                "kms:EncryptionContext:aws:cloudtrail:arn": "ARN of the monitoring cloudtrail"
            }
        }
    }
  20. On the CloudTrail Dashboard, click Trails, click the Arctic Wolf trail name, and then click Edit > Enable for all accounts in my organization.
    All CloudTrail logging for accounts in your organization are delegated to a single trail.
    Note: If this option is grayed out, navigate to the AWS Organizations Console to verify that you are signed in to the Organizations Management Account. You must remove the CloudFormation template from the deployed account and deploy the template while signed in to your Organizations Management Account.
  21. Proceed to Confirm subscription to the Arctic Wolf SNS topic.

Configure CloudTrail monitoring with AWS Control Tower

These resources are required:

  1. Sign in to the AWS Control Tower management account with administrator permissions.
    Tip: This account was previously referred to as the master account.
  2. Enter this URL into a browser window, where accountid is the account number of the logging account: https://signin.aws.amazon.com/switchrole?roleName=AWSControlTowerExecution&account=accountid

    You are signed into the Log Archive account with an AWSControlTowerExecution role.

  3. Sign in to the AWS Management Console with administrator permissions.
  4. Find to the region that you want to deploy the monitoring from.
    1. In the navigation menu, beside your username, click Region.
    2. Select your preferred region.
  5. In the Services menu, in the Management & Governance section, click CloudFormation.
  6. On the CloudFormation page, click Create stack > With new resources (standard).
  7. On the Create stack page, configure these settings:
    • Prepare template — Select Choose an existing template.
    • Template source — Select Amazon S3 URL.
  8. In the Arctic Wolf Unified Portal, in the Amazon Web Services (AWS) Monitoring section, copy the appropriate CloudTrail stack link.
  9. In the Amazon S3 URL field, enter the appropriate CloudTrail stack link.
  10. Click Next.
  11. In the Name field, enter a unique name for your stack. For example, ArcticWolf.
  12. In the Parameter section, in the CloudTrail field, enter the Amazon Resource Name (ARN) of the existing trail that you want to use for Arctic Wolf.
    Note:

    The ARN of the CloudTrail can be found in the CloudTrail console. In the CloudTrail console, select the existing trail that you want to use from the Trail list. Find the path similar to CloudTrail > Trail > arn:aws:cloudtrail:us-east-2:12345678910:trail/nameoftrail. Copy the entire ARN, starting with arn:aws:cloudtrail.

  13. Click Next.
  14. Optional: On the Configure stack options page, add roles, policies, and other configurations, as needed.
  15. Click Next.
  16. On the Review page, read the Capabilities section.
  17. Select all checkboxes.
    Note: You must select all checkboxes to create the stack correctly.
  18. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5-10 minutes to complete.

  19. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE before proceeding to the next step, to make sure that the CloudFormation stacks were successfully created.
  20. Sign in to the CloudTrail console.
  21. On the CloudTrail details page, verify that your CloudTrail configuration shows Log file SSE-KMS encryption: Enabled. The KMS key should be listed immediately below. Verify that the KMS key is located in the current account. If the KMS key used is located in another account, add this entry to the KMS key policy:
    JSON 
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "kms:Decrypt",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "kms:CallerAccount": "<ACCOUNT ID WITH THE IAM ROLE"
            },
            "StringLike": {
                "kms:EncryptionContext:aws:cloudtrail:arn": "ARN of the monitoring cloudtrail"
            }
        }
    }
  22. Proceed to Confirm subscription to the Arctic Wolf SNS topic.

Confirm subscription to the Arctic Wolf SNS topic

The CloudFormation stacks create a Simple Notification Service (SNS) topic in your AWS account. Arctic Wolf uses this SNS topic to identify changes to your CloudTrail account. Make sure that the Arctic Wolf Simple Queue Service (SQS) endpoint is subscribed to your AWNSNSTopic.

Note: Only complete these steps for the primary region.
  1. Sign in to the AWS Management Console, and then click Services > All services > Simple Notification Service.
  2. In the navigation menu, click Topics.
  3. In the filter field, enter AWNSNSTopic to find the corresponding topic.
  4. In the Name column, click the link for the Arctic Wolf SNS topic.
  5. On the Subscriptions page, review the subscription Status. If the value is:
    • Confirmed — The SNS subscription is successfully confirmed.
    • Pending:

      1. Select the checkbox for the subscription, and then click Request confirmation.

        A message appears, indicating that the subscription confirmation was requested.

      2. Wait some minutes, and then refresh the page.

      3. If the Status continues to display Pending, contact your CST for assistance. Include your 12-digit AWS account number.

  6. Contact security@arcticwolf.com to confirm that Arctic Wolf is receiving your CloudTrail events. You can also inquire about optional additional AWS services that Arctic Wolf can monitor.