Custom Onboarding of AWS Environments to Intelligence

This topic describes how to onboard an AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. environment with the manual onboarding experience. For the automated unified onboarding process, see Onboarding AWS Environments to Intelligence.

Your AWS environment has to be onboarded to CloudGuard before you can onboard it to Intelligence. If your account is not onboarded, follow the instructions in Unified Onboarding of AWS Environments.

Intelligence uses VPC Flow Logs and CloudTrail logs from your AWS account. These logs have to be connected to an AWS S3 bucket.

In the onboarding process below, you add an IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. policy to your AWS environment.

You must do some of the onboarding steps processes in the AWS console and other steps in the CloudGuard portal to onboard information from the selected AWS accounts to Intelligence.

Note - You must onboard Flow Logs and CloudTrail separately for each account.

Custom Onboarding

During the Custom Onboarding process, CloudGuard receives permission to create a subscription to an SNS topic and retrieve logs from the S3 bucket that sends logs to this SNS topic. This mode usually applies to three primary use cases:

• You have multiple environments that send logs to one (centralized) S3 bucket. The AWS environment that has the centralized S3 bucket and includes logs from all other connected accounts is your Root Account.

  During the onboarding process, you can select to onboard some accounts that send logs to the centralized bucket. Afterward, to onboard one of the accounts, start the onboarding wizard from the Root Account's page and not on the page of the account to onboard.

• You use a non-default prefix to organize data in the S3 bucket that holds your logs.

• You need to send your logs to another third-party destination, for example, to a SIEM. For a specific prefix, AWS only supports Event Notification to one destination. You can send the logs to an SNS topic and send them through this procedure to different subscribers.

Custom Onboarding includes these steps:

• Prerequisites - Make sure you have all required components before you start.

• Configuration - Configure an SNS topic: use the existing topic or create a new one if you do not have it and attach it to the S3 bucket. Note that only one SNS topic for each bucket is allowed.

• Buckets - Select the centralized bucket that holds your logs and sends events to the SNS topic.

• Accounts - Select the cloud accounts logs that you want to onboard to Intelligence.

  Note - You can have some Connected accounts that send their logs to the centralized S3 bucket of the Root Account. On the Accounts page, you can select only those accounts that are relevant for onboarding to Intelligence.

• IAM Policy - Prepare the IAM policy for CloudGuard Intelligence.

• Summary - Review the components to be onboarded to Intelligence.

Known Limitations

• The centralized S3 bucket cannot send events to two SNS topics. One S3 bucket = one SNS topic.

• You cannot onboard an account to Intelligence if you use an encrypted SNS.

For these and other CloudGuard limitations, see Known Limitations.

Onboarding to Account Activity with CloudTrail

Follow these steps in CloudGuard to enable Account Activity with CloudTrail:

1. In CloudGuard, click the Assets menu and make sure the Environments page opens.

2. From the list of the AWS environments, find the AWS environment that you want to onboard to Intelligence. For the centralized bucket onboarding, this environment must be your root account.

3. In the environment row and the Account Activity column, click Enable to start the Intelligence onboarding wizard.

   Alternatively, you can click and enter the account page. On the top right menu, click Add Intelligence and select CloudTrail.
   

4. Follow the on-screen instructions to complete the wizard.

Onboarding to Traffic Activity with Flow Logs

Follow these steps in CloudGuard to enable Traffic Activity with Flow Logs:

1. In CloudGuard, click the Assets menu and make sure the Environments page opens.

2. From the list of the AWS environments, find the AWS environment that you want to onboard to Intelligence. For the centralized bucket onboarding, this environment must be your root account.

3. In the account row and the Traffic Activity column, click Enable to start the Intelligence onboarding wizard.

   As an alternative, you can click and enter the environment page. On the top right menu, click Add Intelligence and select Flow Logs.
   

4. Follow the on-screen instructions to complete the wizard.

Troubleshooting Intelligence Onboarding

You completed all the steps in the Onboarding wizard, but no logs show in the CloudGuard portal.

Possible causes:

• IAM Role Permissions

  The CloudGuard-Connect IAM role requires additional actions to allow Intelligence to get objects.

  Make sure that you have the CloudGuard-for-intelligence policy attached:

  • S3 bucket policy statement has explicit permission to GetObject

  • S3 bucket policy statement has the permission to PutBucketNotification

  Copy

  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "Dome9S3ForLogic",
              "Action": [
                  "s3:GetObject",
                  "s3:PutBucketNotification"
              ],
              "Effect": "Allow",
              "Resource": []
          }
      ]
  }

• SNS Topic Permissions

  • Make sure that the policy allows everyone to publish and subscribe to this SNS topic.

    Note - Check Point recommends that you limit the publishing policy after you complete the onboarding process.

  • Make sure that the SNS topic is configured and set as an Event Notification destination. The Event Notification event type that CloudGuard Intelligence requires is Put: s3:ObjectCreated:Put. Set the destination to the applicable SNS topic.

  • Make sure that the SNS access policy allows the CloudGuard-Connect IAM role to subscribe to the SNS. For this, update the SNS access policy and the CloudGuard-Connect IAM role policy to allow SNS:Subscribe and SNS:Unsubscribe.

  • Make sure that the subscription is confirmed in the SNS topic. For this, on the Subscription tab, make sure that the subscription status is Confirmed. If it is not confirmed, click Request confirmation and wait for about ten minutes to get the confirmation from CloudGuard.

• Encryption Issues

  • Make sure that logs/S3 buckets A bucket is a container for objects stored in Amazon S3 (Amazon Simple Storage Service). are not encrypted with a custom CMK (customer master key). If they are encrypted, add kms:Decrypt permissions of the specific key to the CloudGuard role.

  • Make sure that the SNS topic is not encrypted with a CMK. CloudGuard cannot retrieve the logs that are sent to an encrypted SNS topic.

If the problem continues, contact Check Point Support Center.