Tip
This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!
Note
You need an AWS account with permissions to create and change IAM roles.
-
We have an onboarding wizard that uses Cloudformation templates to perform all of the following steps in Workbench.
-
If you prefer not to use the wizard, click Connect Manually to access the manual form and follow the instructions below.
-
If you are using an AWS GuardDuty Delegated Admin account, the following steps only need to be completed in that account. Only one device needs to be added to the Expel Workbench using the Delegated Admin account's primary region. If you are not using a Delegated Admin account, complete the following steps for each account you want monitored and add one device in Workbench per account.
Step 1: Create an AWS IAM policy
In this step, we create a permissions policy to assign to the IAM Role.
-
Log into the AWS console and navigate to the IAM service.
-
Go to Policies and click Create Policy.
-
Add the following permissions using the JSON tab.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "guardduty:GetFindings", "guardduty:ListDetectors", "ec2:DescribeRegions", "guardduty:ListFindings", "guardduty:GetDetector" ], "Resource": "*" } ] }
-
Review and name the policy.
Step 2: Create an IAM role
Create an IAM role to connect to your AWS GuardDuty Service.
-
From within the IAM service, navigate to Roles and click Create Role.
-
Select Another AWS account and fill out the required fields.
-
Account ID: 012205512454 (the Expel AWS account ID).
-
External ID: Provided to you by Expel.
-
-
Attach the IAM policy from Step 1 to the Role.
-
Give the Role a name and click Create Role.
-
Navigate to the role you just created and copy the following information for onboarding in Workbench.
-
Role ARN.
-
External ID Value on the Trust relationships tab.
-
Step 3: Onboard AWS GuardDuty in Workbench
-
In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=aws_guardduty.
-
The Add Security Device page for AWS GuardDuty appears. Use the wizard or click Connect Manually to add your AWS GuardDuty installation to Workbench manually. The manual connection screen looks like this:
-
Complete the following information:
-
For Name type the host name of the AWS GuardDuty device.
-
For Location type the geographic location of the appliance.
-
Role ARN: type the Role ARN from Step 2.
-
External ID: type the External ID from Step 2.
-
Role session name: Use a unique name to identify the role.
-
Authentication type: type STSASSUMEROLE.
-
Region: type region of Primary AWS GuardDuty account. For example us-east-1
-
Other fields can be left blank.
-
Comments
0 comments
Please sign in to leave a comment.