Onboarding AWS Environments to Intelligence with API

You can onboard one or more AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. environments to Intelligence with the CloudGuard REST APIClosed Also known as RESTful API - an application programming interface (API or web API) that conforms to the constraints of REST architectural style and allows for interaction with RESTful web services.. For onboarding an AWS environment with the CloudGuard portal, see Onboarding AWS Environments to Intelligence.

Prerequisites

Before onboarding your AWS environments with API, make sure that you have prepared:

Your AWS account requires an SNS topic that is ready to receive notifications from the logs bucket. The topic must have a policy that allows SNS:Publish on the logs bucket resource.

To create an SNS Topic:

  1. Open the Amazon SNS console and navigate to Topics.

  2. Click Create topic.

  3. In the Create topic section, enter a name and description for the topic.

  4. In the Access policy section, set who can publish and subscribe to the topic to Everyone.

    Best Practice - Check Point recommends to limit the publishing and subscription policy when the onboarding is done.

    For more information on SNS Access Policy, see AWS documentation.

  5. Click Create topic.

You can connect an SNS topic and an S3 bucket with an event notification. The notification has to include the event type Put in the Object creation events (s3:ObjectCreated:Put).

Make sure the prefix filter of the notification is sufficient and includes all desired logs.

To attach the SNS topic to the S3 bucket with the event notification:

  1. In the AWS Console, navigate to Amazon S3 > Buckets.

  2. In the buckets list, open the applicable bucket and go to the Properties tab.

  3. Scroll to the Event notifications section and click Create event notification.

  4. Below General configurations, enter the details of your setup,, and for Event types select Object creation - Put.

    Note - AWS does not allow overlapping prefixes for the same event type.

  5. For Destination, select the SNS topic and specify it by selection or with an ARN.

  6. Click Save changes.

Add the permissions below to the CloudGuard trust role that you created during onboarding.

  1. To recover the trust role ARN, open the environment page, click Edit Credentials and copy the Role ARN value.

  2. Add these permissions:

Request

POST /v2/view/magellan/magellan-custom-onboarding

Copy 
{
"bucketName": " intelligence-onboarding-*****-*****-******* ",
"bucketAccountId": "5******************9",
"topicArn": " arn:aws:sns:us-east-1:5************9:********",
"cloudAccountIds": [  ],
"onboardingType": "Cloudtrail"
}

For API documentation and code examples, see API Reference.

Authorization

Basic Authorization: Use the API key and secret as username and password.

Parameters

  • bucketName - Name of the S3 bucket that stores the Flow Logs or CloudTrail logs

  • bucketAccountIdAWS account ID that contains the S3 bucket (must be onboarded to CloudGuard)

  • topicArn – ARN of the SNS topic that receives event notifications from the S3 bucket

  • cloudAccountIds – For a centralized S3 bucket, the cloud account IDs of the other AWS accounts that send log files to the centralized S3 bucket.

  • onboardingTypeCloudTrail or Flow Logs for Account Activity or Traffic Activity

Response

200 – OK

Onboarding Verification

When done, make sure that:

  • The subscription is added to the SNS topic.

  • The new logs of the onboarded AWS account start to appear in the CloudGuard portal in Events > Account Activity or Network Traffic. This can take less than 30 minutes.