This article describes connecting AWS GuardDuty to Workbench.
Note
You need an AWS account with permissions to create and change IAM roles.
-
We have an onboarding wizard that uses Cloudformation templates to perform all of the following steps in Workbench.
-
If you prefer not to use the wizard, click Connect Manually to access the manual form and follow the instructions below.
-
If you are using an AWS GuardDuty Delegated Admin account, the following steps only need to be completed in that account. Only 1 device needs to be added to the Expel Workbench using the Delegated Admin account's primary region. If you are not using a Delegated Admin account, complete the following steps for each account you want monitored and add 1 device in Workbench per account.
Step 1: Create an AWS IAM policy
In this step, we create a permissions policy to assign to the IAM Role.
-
Log into the AWS console and navigate to the IAM service.
-
Go to Policies and click Create Policy.
-
Add the following permissions using the JSON tab.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "guardduty:GetFindings", "guardduty:ListDetectors", "ec2:DescribeRegions", "guardduty:ListFindings", "guardduty:GetDetector" ], "Resource": "*" } ] }
-
Review and name the policy.
Step 2: Create an IAM role
Create an IAM role to connect to your AWS GuardDuty Service.
-
From within the IAM service, navigate to Roles and click Create Role.
-
Select Another AWS account and fill out the required fields.
-
Account ID: 012205512454 (the ExpelAWS account ID).
-
External ID: Provided to you by Expel.
-
-
Attach the IAM policy from Step 1 to the Role.
-
Give the Role a name and click Create Role.
-
Navigate to the role you just created and copy the following information for onboarding in Workbench.
-
Role ARN.
-
External ID Value on the Trust relationships tab.
-
Step 3: Onboard AWS GuardDuty in Workbench
Note
Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
-
In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=aws_guardduty.
-
The Add Security Device page for AWS GuardDuty appears. Use the wizard or click Connect Manually to add your AWS GuardDuty installation to Workbench manually.
-
Complete the following information:
-
For Name type the host name of the AWS GuardDuty device.
-
For Location type the geographic location of the appliance.
-
Role ARN: type the Role ARN from Step 2.
-
Role session name: Use a unique name to identify the role.
-
External ID: type the External ID from Step 2 if it's not automatically populated for you.
-
Region: type region of Primary AWS GuardDuty account. For example us-east-1
-