1. Expel Help Center
  2. Connect Your Technology
  3. A-C Integrations
  4. Amazon/AWS

AWS GuardDuty Setup for Workbench

This article describes connecting AWS GuardDuty to Workbench using the manual setup process. If you would like to use our wizard to assist in the creation of your stack, you can do so in Step 3 .

Prerequisites

  • You must have an AWS account with permissions to create and change IAM roles.
  • If you use AWS Organizations, make sure you have your AWS Account ID.
  • If your organization centralizes CloudTrail logs from multiple subsidiaries into a single S3 bucket, make sure you know the AWS Organizational Unit (OU) ID for the subsidiary.
    • This is an optional prerequisite that enables us to filter logs so that only the relevant data is sent to each subsidiary's Workbench instance, preventing data overlap.

If you need help finding any of these values, see this Reference section.

Note

  1. We have an onboarding wizard in Workbench that uses CloudFormation templates to perform the steps in this guide.
  2. If you prefer not to use the wizard, click Connect Manually in Workbench to access the manual form, and follow the instructions below.
  3. If you are using an AWS GuardDuty Delegated Admin account, the following steps only need to be completed in that account. Only one device needs to be added to the Expel Workbench using the Delegated Admin account's primary region.
  4. If you are not using a Delegated Admin account, complete the following steps for each account you want monitored and add one device in Workbench per account.

Quick Links

About Console Permissions in Your Devices

As you connect your devices to Workbench, you provide Workbench access to those devices through permissions in the devices. These permissions vary from one device technology to another, but we typically need at least Read access to your devices to pull in any logs from those devices into Workbench. For more information, see Why Expel Asks for Console Access.

Step 1: Create an AWS IAM Policy

In this step, we create a permissions policy to assign to the IAM Role.

  1. Log into the AWS console and navigate to the IAM service.

  2. Go to Policies and click Create Policy.

  3. Add the following permissions using the JSON tab.

    {
   "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "guardduty:GetFindings",
                "guardduty:ListDetectors",
                "ec2:DescribeRegions",
                "guardduty:ListFindings",
                "guardduty:GetDetector"
            ],
             "Resource": "*"
        }      
    ]
}

  4. Review and name the policy.

Step 2: Create an IAM Role

Create an IAM role to connect to your AWS GuardDuty Service.

  1. From within the IAM service, navigate to Roles, and click Create Role.

  2. Select Another AWS account and fill out the required fields.

    • Account ID: 012205512454 (the ExpelAWS account ID).

    • External ID: This is your Workbench GUID. To get it, navigate to Organization Settings > My Organization in Workbench. On the organization's page, look for the Organization GUID, select the Copy button to copy the GUID, and paste it into this field.

  3. Attach the IAM policy from Step 1 to the Role.

  4. Give the Role a name and select Create Role.

  5. Navigate to the role you just created and copy the following information for onboarding in Workbench.

    • Role ARN.

    • External ID Value on the Trust relationships tab.

    Important

    If your organization centralizes CloudTrail logs from multiple subsidiaries into a single S3 bucket, you will need to either edit this IAM Role to add two additional permissions for Expel, or create a separate IAM role with those permissions.

    • The two additional permissions are: organizations:ListAccountsForParent and organizations:ListOrganizationalUnitsForParent.
    • If you choose to create a separate IAM Role with these permissions, make sure to save that IAM Role ARN as your AWS OU Role ARN. You will need it when you set up the security device in Workbench. 

Step 3: Onboard AWS GuardDuty in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench. Before you begin, make sure you have your IAM Role ARN and Role Session Name. If you use AWS Organizations, you will also need your AWS Account ID as well as the subsidiary's AWS Organizational Unit (OU) ID (the OU ID is only necessary if you use a single S3 bucket for multiple subsidiaries). If you need additional help finding any of these values, see this Reference for detailed instructions.

Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=aws_guardduty.

  2. The Add Security Device page for AWS GuardDuty appears. Do one of the following:

    • Select Connect Manually >> to add your AWS GuardDuty installation to Workbench, then continue with these instructions.

    • Use the wizard to create your stack, and follow all instructions presented.

  3. Complete the following information:

    • Name - enter the host name of the AWS GuardDuty device.

    • Location - enter the geographic location of the appliance.

    • Role ARN - enter the Role ARN from Step 2.

    • Role session name - enter a unique name to identify the role.

    • AWS Region - enter the region of Primary AWS GuardDuty account. For example, us-east-1.

    • AWS OU ID - if you use AWS Organizations to centralize CloudTrail logs from multiple subsidiaries into a single S3 bucket, enter the AWS OU ID for the relevant subsidiary (format: ou-abc1-defghi2j); otherwise, leave this field blank. This field tells our system to filter the logs based on that ID, ensuring that each subsidiary's Workbench instance only ingests and analyzes the logs relevant to its own accounts, which helps prevent any overlap of data.
    • AWS OU Role ARN - if you entered an AWS OU ID, you will also need to enter the IAM Role ARN that contains the appropriate permissions. If you chose to add these permissions to your existing IAM Role, enter the IAM Role ARN again here. If you chose to create a new IAM Role with those permissions, enter your AWS OU Role ARN. Otherwise, leave this field blank.
  4. Click Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Related articles