Onboarding AWS Environments to Intelligence

Your AWS environment has to be onboarded to CloudGuard before you can onboard it to Intelligence. If your account is not yet onboarded, follow instructions in Onboarding an AWS Environment.

Intelligence uses VPC Flow Logs and CloudTrail logs from your AWS account. These logs have to be connected to an AWS S3 bucket.

In the onboarding process below, you add an IAM policy to your AWS environment.

You must perform some steps of the onboarding process on the AWS console and some other steps on CloudGuard portal to onboard information from the selected AWS accounts to Intelligence.

Note - You must onboard Flow Logs and CloudTrail separately for each account.

Define the Onboarding Mode

Before you start to onboard your environments to Intelligence, consider which onboarding mode fits best your needs. If you are not sure about the mode, select standard onboarding.

Standard Onboarding

This mode allows you to connect a single AWS environment that sends logs to one or multiple S3 buckets, all located within that environment, with default AWS configurations. In the S3 bucket, the CloudTrail or Flow Logs location must be the AWS default destination (prefix).

The IAM policy that you add to your AWS environment grants CloudGuard permissions to create an S3 Event Notification. For more information, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/NotificationHowTo.html. You can use the permissions to receive VPC Flow Logs and CloudTrail logs. Repeat these steps for each account that you onboard to Intelligence. When the permissions are granted for an account, they are sufficient for all VPCs and CloudTrail logs in that account.

Standard Onboarding includes these steps:

  • Prerequisites - Make sure you have all required components before you start.

  • Log Destination - Select the log destination: the name of the S3 bucket to which CloudTrail or Flow Logs deliver the logs.

  • IAM Policy - Prepare the IAM policy for CloudGuard Intelligence.

  • Summary - Review the components to onboard to Intelligence.

Custom Onboarding

During the Custom Onboarding process, CloudGuard receives permissions to create a subscription to an SNS topic and retrieve logs from the S3 bucket that sends logs to this SNS topic. This mode usually applies to three main use cases:

  • You have multiple environments that send logs to a single (centralized) S3 bucket. The AWS environment that has the centralized S3 bucket and includes logs from all other connected accounts is your Root Account.

    During the onboarding process, you can select to onboard several accounts that send logs to the centralized bucket. If you want to onboard one of the accounts later on, start the onboarding wizard from the Root Account's page and not from the page of the account to onboard.

  • You use a non-default prefix to organize data in the S3 bucket that holds your logs.

  • You need to send your logs to another third-party destination, for example, to a SIEM. For a specific prefix, AWS only supports Event Notification to a single destination. You can send the logs to an SNS topic and distribute them this way to several subscribers.

Custom Onboarding includes these steps:

  • Prerequisites - Make sure you have all required components before you start.

  • Configuration - Configure an SNS topic: use the existing topic or create a new one if you don't have it and attach it to the S3 bucket. Note that only one SNS topic per bucket is allowed.

  • Buckets - Select the centralized bucket that holds your logs and sends events to the SNS topic.

  • Accounts - Select cloud accounts whose logs you want to onboard to Intelligence.

    Note - You can have several Connected accounts that send their logs to the centralized S3 bucket of the Root Account. On the Accounts page, you can select only those accounts that are relevant for onboarding to Intelligence.

  • IAM Policy - Prepare the IAM policy for CloudGuard Intelligence.

  • Summary - Review the components to onboard to Intelligence.

Known Limitations

  • The centralized S3 bucket cannot send events to two SNS topics. One S3 bucket = one SNS topic.

  • You cannot onboard an account to Intelligence, if you use an encrypted SNS.

For these and other CloudGuard limitations, see Known Limitations.

Onboard to Account Activity with CloudTrail

Follow these steps in CloudGuard to enable Account Activity with CloudTrail:

  1. In CloudGuard, click the Assets menu and make sure the Environments page opens.

  2. In the list of the AWS environments, find the AWS environment that you want to onboard to Intelligence. For Custom Onboarding, this environment must be your root account.

  3. In the environment row and the Account activity column, click Enable Account Activity to start the Intelligence onboarding wizard.

    Alternatively, you can click and enter the account page. On the top right menu, click + Add Intelligence and select CloudTrail.

  4. Follow the onscreen instructions to complete the wizard.

Onboard to Traffic Activity with Flow Logs

Follow these steps in CloudGuard to enable Traffic Activity with Flow Logs:

  1. In CloudGuard, click the Assets menu and make sure the Environments page opens.

  2. In the list of the AWS environments, find the AWS environment that you want to onboard to Intelligence. For Custom Onboarding, this environment must be your root account.

  3. In the account row and the Traffic activity column, click Enable Traffic Activity to start the Intelligence onboarding wizard.

    Alternatively, you can click and enter the environment page. On the top right menu, click + Add Intelligence and select Flow Logs.

  4. Follow the onscreen instructions to complete the wizard.

Troubleshoot Intelligence Onboarding

The most common issue with Intelligence onboarding is that after you perform all the steps with the Onboarding wizard, no logs appear in the CloudGuard portal.

Possible causes:

If after all these actions still no logs appear, contact support.