Amazon Web Services (AWS)

This is a combined document for enabling the Amazon Web Services (AWS) Dropzone AI Data Source and Alert Source.

Link to Alert + Data Source Integrations

The Dropzone AI platform integrates with Amazon Web Services (AWS) APIs for ingesting alerts (AWS GuardDuty) and enriching investigations with data from AWS such as CloudWatch.

Dropzone creates a separate IAM role for each customer. This document describes how to enable the Dropzone role to access your AWS environment and configure the Dropzone platform.

Integration Overview

To enable these integrations you will perform the following actions:

Enable Cross-Account Access
- Create an IAM role in your account(s)
- Attach policies to the role
Enable the Dropzone Data Source
Enable the Dropzone Alert Source

The Dropzone platform has a dedicated IAM role for your organization. You enable cross-account access for this IAM to gain access to specific roles within your AWS accounts.

These instructions will work for any account, but you may have different methods for applying them, for example if you are using Control Tower or deploying changes via Infrastructure as Code.

You must complete these steps for all AWS accounts you wish accessible by Dropzone.

Enable Cross-Account Access

The following steps walk you through creating a role and granting it to the Dropzone-provided role.

Find the Dropzone IAM Role Information

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
In the upper left click on the "Data Sources" button in the upper left do configure the Google Workspace Data Source integration

Click "Data Sources" in the top left corner

Find the "AWS" tile and click Connect

In the top left you'll see section named "Connection". Record the ARN and EXTERNAL ID which you will use later in the AWS JSON Policy.

Create the Role

Next you'll create a role in the AWS account you want monitored and available.

You'll need the following information:

Value

Used In

Source

Dropzone-provided ARN

AWS Role Custom Trust Policy JSON

ARN value from the AWS Data Source "Connection" section

Dropzone-provided External ID

AWS Role Custom Trust Policy JSON

External ID value from the AWS Data Source "Connection" section

AWS Account ID

Custom Permissions Policy JSON

Find this in the user/role dropdown in the upper right of the AWS console

Log in to the AWS Management Console for the account where you want to create the role
Open the Identity Access and Management (IAM) dashboard

From the left navigation, select "Access Management" > Roles
Click "Create Role"

Click "Custom Trust Policy"

In the text field below, paste the following policy, replacing the <Dropzone-provided User ARN> and <Dropzone-provided External ID> strings with values from the Dropzone UI you recorded earlier:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "<Dropzone-provided User ARN>"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<Dropzone-provided External ID>"
                }
            }
        }
    ]
}

Click "Next" in the bottom right
You'll now be on the "Add Permissions" page where you can add AWS pre-built policies

Choose your policy method:
- Add the ReadOnlyAccess policy which will allow Dropzone to have all policies needed even in the future, or
- Add the following policies one-by-one:

Policy

AWSCloudTrail_ReadOnlyAccess

AmazonEC2ReadOnlyAccess

AmazonGuardDutyReadOnlyAccess

AmazonRoute53ReadOnlyAccess

AmazonS3OutpostsReadOnlyAccess

AmazonS3ReadOnlyAccess

AmazonSSMReadOnlyAccess

IAMReadOnlyAccess

Click "Next" when done adding policies
Give the new role the name "Dropzone_AI"

Click "Create Role" in bottom right

From "Identity and Access Management (IAM)" > "Access Management" > Roles search for the new role
Click on the role

In the middle of the page you'll see "Permissions Policies"

Click "Add Permission"
Select "Create Inline Policy"

In the text field paste the following policy, replacing the <your_accountnumber> strings with this AWS account ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudTrailStartQuery",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "cloudtrail:StartQuery"
            ],
            "Resource": [
                "arn:aws:kms:*:<your_accountnumber>:key/*",
                "arn:aws:cloudtrail:*:<your_accountnumber>:eventdatastore/*"
            ]
        },
        {
		 "Sid": "EKSReadOnly",
		 "Effect": "Allow",
		 "Action": [
		     "eks:Describe*",
		     "eks:List*"
		 ],
		 "Resource": "*"
	  }

    ]
}

Click Next
Give the new permission the name "Dropzone_AI_Additional"
Click "Create Policy"

You should be returned to the Dropzone_AI role page and see the policies you've added, including the custom policy.

Record the ARN for this role which we'll use later when configuring the Dropzone Data and Alert Sources.

Repeat For Additional AWS Accounts

Repeat the steps taken in the "Create the Role" section for all other AWS accounts you want visible to Dropzone.

Make sure you're keeping a list of all the role ARNs you create along the way - you'll need them later.

Once done, you may now move onto configuring the Dropzone Data and Alert Sources.

Enable The Dropzone Data Source Integration

The Data source integration allows Dropzone AI to interact with AWS APIs, for example pulling CloudWatch information, enumerating EC2 instances, for use in investigation analysis and interactive chat.

You'll need the following information:

Dropzone Field

Source

Default Region

The AWS region you run most of your services in

Role ARNs

The ARNs of the AWS roles you created in your accounts

To enable the Data Source integration, do the following:

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations

Click "Data Sources" in the top left corner

find the AWS tile and click Connect

Enter an AWS region into the "Default Region" field.
- this should be the region that the majority of your monitored resources live in
In the "Role ARNs", click "Add Item"
- Paste the first the role ARNs that you created earlier
- Continue to "Add Item" and paste in ARNs until you've pasted them all

Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable The Dropzone Alert Source Integration

The Alert source integration allows Dropzone AI to pull alerts from AWS GuardDuty for investigation.

You'll need the following information:

Dropzone Field

Source

Default Region

The AWS region you run most of your services in

Role ARNs

The ARNs of the AWS roles you created in your accounts

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
In the upper left click on the "Alert Sources" button in the upper left do configure the Google Workspace Alert Source integration

Click "Alert Sources" in the top left corner

Find the "AWS GuardDuty" tile and click Connect

Enter an AWS region into the "Default Region" field.
- this should be the region that the majority of your monitored resources live in
In the "Role ARNs", click "Add Item"
- Paste the first the role ARNs that you created earlier
- Continue to "Add Item" and paste in ARNs until you've pasted them all

Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

PreviousAlert + Data Source Integrations NextCrowdStrike

Last updated 1 year ago

Was this helpful?