AWS

08/2024

Overview

Cisco Identity Intelligence can connect directly to AWS environments that use AWS IAM Identity Center and collect data regarding user accounts, activity, and more.

Known Issues

There is currently an issue with the AWS API where user accounts that are disabled in AWS will have their account status returned as active, even though they show as disabled in the AWS IAM console. Currently, CII shows all AWS accounts as unknown due to this issue.

Requirements

This integration requires the following:

AWS IAM Identity Center is the replacement for the former AWS Single Sign-on (SSO) functionality (see article). The use of AWS IAM Identity Center is a hard requirement for this integration. User data will not be collected without it.
IAM Identity Center is configured for your AWS enterprise account at a parent level (organization), with child AWS accounts managed by that IAM Identity Center instance (example shown below)
If IAM Identity Center is configured separately or discretely with individual AWS account instances, then you will need to set up a CII AWS integration for each account.

AWS Configuration

Note - there are many methods for creating accounts and granting access with AWS IAM. If you have questions or suggestions, please speak with your Oort technical representative.

Navigate to the AWS IAM service in the parent AWS account, where SSO is configured.

Click Create user and then create an Oort integration user object.
Within the Permissions section, create an inline policy type and insert or paste the following JSON into it:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sso:List*",
                "sso:Describe*",
                "sso:Get*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "identitystore:List*",
                "identitystore:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "cloudtrail:LookupEvents",
            "Resource": "*"
        }
    ]
}

Within the User object page, click the Security Credentials tab
Click Create access key

Select Command Line Interface (CLI) and click the Confirmation box at the bottom of the page

Leave the Set description tag value blank and click Create access key
Copy the Access key name and the Secret for use in the Oort console

Oort Configuration

Within the Integrations tab, click Add Integration and click AWS

Enter a display name for the integration
Enter the AWS region where the IAM service account was created, in us-east-2 format
Enter the Access Key ID
Enter the Access Key secret
Click Save

Test Connectivity

Once saved, on the Integrations page, you can click the 3-dot menu on the right side for your AWS integration and click Test Connectivity.

If successful with a "Connected" message in the lower left of the screen, you can click the 3-dot menu again and select Collect Now to begin collection.

PreviousAzure Sentinel SIEM Integration NextDuo Security Integration

Last updated 2 months ago