AWS Access Key IAM Permissions and IAM Policies
To monitor AWS resources in FortiSIEM, an access key and a corresponding secret access key is needed. Prior to the availability of AWS IAM users, the recommendation was to create an access key at the level of root AWS account. This practice has been deprecated since the availability of AWS IAM users as you can read from the AWS Security Credentials best practice guide. If you were monitoring AWS using such access keys, the first step is to delete such keys and create keys based on a standalone IAM user dedicated for monitoring purposes in FortiSIEM. This document explains how to create such a user, and what permissions and policies to add to allow FortiSIEM to monitor your AWS environment.
Create IAM User for FortiSIEM Monitoring
- Login to the IAM Console - Users Tab.
- Click Create Users.
- Type in a username, e.g. aomonitoring under Enter User Names.
- Leave the checkbox Generate an access key for each user selected or select it if it is not selected.
- Click Download Credentials and click on Close button.
- The downloaded CSV file contains the Access Key ID and Secret Access Key that you can use in FortiSIEM to monitor various AWS services. You must add permissions before you can actually add them in FortiSIEM.
Change Permissions for IAM User
- Select the user you are monitoring.
- Switch to tab Permissions.
- Click Attach Policy.
- Select AmazonEC2ReadOnlyAccess, AWSCloudTrailReadOnlyAccess, AmazonRDSReadOnlyAccess, CloudWatchReadOnlyAccess, AmazonSQSFullAccess and click Attach Policy. You can choose to skip attaching some policies if you do not use that service or plan on monitoring that service. For instance, if you do not use RDS, then you do not need to attach AmazonRDSReadOnlyAccess.
- You can choose to provide blanket read-only access to all S3 buckets by attaching the policy AmazonS3ReadOnlyAccess. Alternatively, you can specify a more restricted policy as described in the next step.
- Identify the set of S3 bucket(s) that you have configured to store Cloudtrail logs for each region. You can create an inline policy, choose custom policy, then paste the sample policy below. Make sure you replace the actual S3 bucket names below aocloudtrail1, aocloudtrail2 with the ones you have configured.
S3 Bucket Read-only Policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::aocloudtrail1", "arn:aws:s3:::aocloudtrail2" ] } ] }