Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security analytics plugin - added more details for S3 connection setup #8374

Merged
merged 14 commits into from
Sep 26, 2024
+52 −3
Merged

Security analytics plugin - added more details for S3 connection setup #8374

Changes from 5 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
4eb6380
Added more details to the s3 connection setup.
AWSHurneyt Sep 24, 2024
2155560
Adjusted wording for cross-account bucket download.
AWSHurneyt Sep 25, 2024
550f47f
Merge branch 'main' into 3.0-threat-intel-s3-setup
AWSHurneyt Sep 25, 2024
78110e0
Created subsection for cross-account bucket download.
AWSHurneyt Sep 25, 2024
558da56
Merge remote-tracking branch 'origin/3.0-threat-intel-s3-setup' into …
AWSHurneyt Sep 25, 2024
532a3c6
Adjusted wording based on suggestions.
AWSHurneyt Sep 26, 2024
17e978d
Update getting-started.md
Naarcha-AWS Sep 26, 2024
6322957
Apply suggestions from code review
Naarcha-AWS Sep 26, 2024
28cdca2
Apply suggestions from code review
Naarcha-AWS Sep 26, 2024
b360086
Apply suggestions from code review
Naarcha-AWS Sep 26, 2024
7da4df2
Apply suggestions from code review
Naarcha-AWS Sep 26, 2024
5a26892
Apply suggestions from code review
Naarcha-AWS Sep 26, 2024
a2c2f90
Apply suggestions from code review
Naarcha-AWS Sep 26, 2024
c923933
Apply suggestions from code review
Naarcha-AWS Sep 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 41 additions & 3 deletions _security-analytics/threat-intelligence/getting-started.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,15 +50,53 @@

When using the `S3_SOURCE` as a remote store, the following connection information must be provided:

- **IAM Role ARN**: The Amazon Resource Name (ARN) for an AWS Identity and Access Management (IAM) role.
- **S3 bucket directory**: The name of the Amazon Simple Storage Service (Amazon S3) bucket in which the `STIX2` file is stored.
- **Specify a directory or file**: The object key or directory path for the `STIX2` file in the S3 bucket.
- **IAM Role ARN**: The Amazon Resource Name (ARN) for an AWS Identity and Access Management (IAM) role. Please note that, when using AWS OpenSearch Service, this role ARN needs to be in the same account as the OpenSearch domain. E.g.,

Check warning on line 53 in _security-analytics/threat-intelligence/getting-started.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.Please] Using 'Please' is unnecessary. Remove.

Raw Output:
{"message": "[OpenSearch.Please] Using 'Please' is unnecessary. Remove.", "location": {"path": "_security-analytics/threat-intelligence/getting-started.md", "range": {"start": {"line": 53, "column": 106}}}, "severity": "WARNING"}
1. Create a new role with a custom trust policy. The following example trust policy adds OpenSearch as a trusted entity.
```azure
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"opensearchservice.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
2. Click the Next button to progress to the Permissions policies page, and add the `AmazonS3ReadOnlyAccess` permission.
3. Finish creation of the new role on the following page by providing a name, and description.
- **S3 bucket directory**: The name of the Amazon Simple Storage Service (Amazon S3) bucket in which the `STIX2` file is stored. To access an S3 bucket in a different AWS account, [see below](#configuring-cross-account-s3-bucket-connection).

Check warning on line 73 in _security-analytics/threat-intelligence/getting-started.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.DirectionAboveBelow] Use 'following or later' instead of 'below' for versions or orientation within a document. Use 'above' and 'below' only for physical space or screen descriptions.

Raw Output:
{"message": "[OpenSearch.DirectionAboveBelow] Use 'following or later' instead of 'below' for versions or orientation within a document. Use 'above' and 'below' only for physical space or screen descriptions.", "location": {"path": "_security-analytics/threat-intelligence/getting-started.md", "range": {"start": {"line": 73, "column": 186}}}, "severity": "WARNING"}
- **Specify a file**: The object key for the `STIX2` file in the S3 bucket.
- **Region**: The AWS Region for the S3 bucket.

You can also set the **Download schedule**, which determines to where OpenSearch downloads an updated `STIX2` file from the connected S3 bucket. The default interval is once a day. Only daily intervals are supported.

Alternatively, you can check the **Download on demand** option, which prevents new data from the bucket from being automatically downloaded.

### Configuring cross-account S3 bucket connection
As mentioned [above](#s3_source-connection-information), the role ARN needs to be in the same account as the OpenSearch domain. The example trust policy in that step will allow the OpenSearch domain to download from S3 buckets within that same account.

Check warning on line 82 in _security-analytics/threat-intelligence/getting-started.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.DirectionAboveBelow] Use 'previous, preceding, or earlier' instead of 'above' for versions or orientation within a document. Use 'above' and 'below' only for physical space or screen descriptions.

Raw Output:
{"message": "[OpenSearch.DirectionAboveBelow] Use 'previous, preceding, or earlier' instead of 'above' for versions or orientation within a document. Use 'above' and 'below' only for physical space or screen descriptions.", "location": {"path": "_security-analytics/threat-intelligence/getting-started.md", "range": {"start": {"line": 82, "column": 15}}}, "severity": "WARNING"}

To download from an S3 bucket in another account, please note that the trust policy for that bucket needs to give your role ARN permission to read from the object. E.g.,

Check warning on line 84 in _security-analytics/threat-intelligence/getting-started.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[OpenSearch.Please] Using 'please' is unnecessary. Remove.

Raw Output:
{"message": "[OpenSearch.Please] Using 'please' is unnecessary. Remove.", "location": {"path": "_security-analytics/threat-intelligence/getting-started.md", "range": {"start": {"line": 84, "column": 51}}}, "severity": "WARNING"}
```azure
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/account-1-threat-intel-role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::account-2-threat-intel-bucket/*"
}
]
}
```

## Step 2: Set up scanning for your log sources

Expand Down
Loading