Onboarding AWS Environments to Intelligence with API
You can onboard one or more AWS
Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. environments to Intelligence with the CloudGuard REST API Also known as RESTful API - an application programming interface (API or web API) that conforms to the constraints of REST architectural style and allows for interaction with RESTful web services.. For onboarding an AWS environment with the CloudGuard portal, see Onboarding AWS Environments to Intelligence.
Prerequisites
Before onboarding your AWS environments with API, make sure that you have prepared:
-
CloudGuard account information: API key and secret for your account
-
AWS account information:
-
ID of your AWS account (Account Number)
-
Name of the bucket that stores Flow Logs or CloudTrail logs
-
ARN
Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. of the SNS topic that receives event notifications from the bucket -
For a centralized S3 bucket: IDs of the other AWS environments that send log files to the centralized bucket
-
-
AWS account setup that includes:
-
SNS topic
-
Event notification that the S3 bucket can send to the SNS topic
-
Permissions given to CloudGuard Intelligence
-
Creating an SNS Topic
Your AWS account requires an SNS topic that is ready to receive notifications from the logs bucket. The topic must have a policy that allows SNS:Publish on the logs bucket resource.
To create an SNS Topic:
-
Open the Amazon SNS console and navigate to Topics.
-
Click Create topic.
-
In the Create topic section, enter a name and description for the topic.
-
In the Access policy section, set who can publish and subscribe to the topic to Everyone.
Best Practice - Check Point recommends to limit the publishing and subscription policy when the onboarding is done.
For more information on SNS Access Policy, see AWS documentation.
-
Click Create topic.
Connecting a bucket to an SNS topic
You can connect an SNS topic and an S3 bucket with an event notification. The notification has to include the event type Put in the Object creation events (s3:ObjectCreated:Put).
Make sure the prefix filter of the notification is sufficient and includes all desired logs.
To attach the SNS topic to the S3 bucket with the event notification:
-
In the AWS Console, navigate to Amazon S3 > Buckets.
-
In the buckets list, open the applicable bucket and go to the Properties tab.
-
Scroll to the Event notifications section and click Create event notification.
-
Below General configurations, enter the details of your setup,, and for Event types select Object creation - Put.
Note - AWS does not allow overlapping prefixes for the same event type.
-
For Destination, select the SNS topic and specify it by selection or with an ARN.
-
Click Save changes.
Granting Permissions to CloudGuard Intelligence
Add the permissions below to the CloudGuard trust role that you created during onboarding.
-
To recover the trust role ARN, open the environment page, click Edit Credentials and copy the Role ARN value.
-
Add these permissions:
-
Action:
s3:GetObjectResource: ARNs of all onboarded and to be onboarded buckets
-
Action:
sns:Subscribe,sns:UnsubscribeResource: ARNs of all of the onboarded SNS topics and the topics about to be onboarded
-
Action:
kms:DecryptResource: ARNs of the KMS
AWS Key Management Service (AWS KMS) - A managed service that simplifies the creation and control of encryption keys that are used to encrypt data. keys encrypting the buckets or the CloudTrail trails (if available)
-
Request
POST /v2/view/magellan/magellan-custom-onboarding
{
"bucketName": " intelligence-onboarding-*****-*****-******* ",
"bucketAccountId": "5******************9",
"topicArn": " arn:aws:sns:us-east-1:5************9:********",
"cloudAccountIds": [ ],
"onboardingType": "Cloudtrail"
}
For API documentation and code examples, see API Reference.
Authorization
Basic Authorization: Use the API key and secret as username and password.
Parameters
-
bucketName - Name of the S3 bucket that stores the Flow Logs or CloudTrail logs
-
bucketAccountId – AWS account ID that contains the S3 bucket (must be onboarded to CloudGuard)
-
topicArn – ARN of the SNS topic that receives event notifications from the S3 bucket
-
cloudAccountIds – For a centralized S3 bucket, the cloud account IDs of the other AWS accounts that send log files to the centralized S3 bucket.
-
onboardingType – CloudTrail or Flow Logs for Account Activity or Traffic Activity
Response
200 – OK
Onboarding Verification
When done, make sure that:
-
The subscription is added to the SNS topic.
-
The new logs of the onboarded AWS account start to appear in the CloudGuard portal in Events > Account Activity or Network Traffic. This can take less than 30 minutes.