Deploying Darktrace AWS Security Module

Threat Visualizer v5.0

Last Updated: February 1 2021

DEPLOYING DARKTRACE AWS SECURITY MODULE 2

Deploying Darktrace AWS Security Module

Threat Visualizer v5.0

Deploying Darktrace AWS Security Module in Standard Mode 3

Deploying the Module in Restricted Mode 7

Available Configuration Options 10

DEPLOYING DARKTRACE AWS SECURITY MODULE 3

Deploying Darktrace AWS Security Module in Standard

Mode
There are two deployment modes available for the Darktrace AWS Security module: standard and Restricted Mode. The
following steps cover the deployment of the module in the standard mode.

More information can be found in Darktrace Security Module for AWS.

Monitoring Multiple AWS Accounts

If you wish to monitor multiple AWS accounts which log CloudTrails into the same S3 bucket, there are two methods of
configuration: comma-separated values or multiple modules.

For the first method, Account IDs can be entered as a comma-separated list in the Account IDs field. For example, “o-
e5luotgnx0/9946543668,o-e5luotgnx0/1564025830”. Please note, the module will only attempt to reconfigure one
account - that associated with the CloudTrail provided during the creation of the IAM user and entered into the Darktrace
CloudTrail Name field. Trails from other accounts will be retrieved in read-only mode and will not be managed. Log
expiry is set at the bucket level, so all logs will be expired regardless of their account.

If management of all CloudTrails is desired, the alternative option is to authorize Darktrace for each account by fully
completing the authorization instructions individually for each account. This method will result in multiple instances of the
AWS module, each able to manage a trail directly.

Add AWS Account ID to Darktrace Configuration Page

1. Log into the Amazon AWS Management Console with a user with admin credentials.

2. Click on the username in the top right of the page to reveal a menu. Select My Account.

3. Copy the Account ID shown on the resulting page. If the account belongs to a AWS Organization, the Account
ID must be prefixed with the organization ID separated by a forward slash (e.g., “o-
e5luotgnx0/9946543668”).

If you are unsure whether an organization ID prefix is required, please check the folder structure of the
bucket where logs are being stored. If the structure contains your organization ID - for example …/AWSLogs/
o-e5luotgnx0/9946543668/CloudTrail/… - the organization ID prefix is required in the string provided to
Darktrace.

If the folder structure does not contain the organization ID, for example …/AWSLogs/9946543668/CloudTrail/
…, the organization ID prefix is not required.

4. Within the Threat Visualizer, navigate to the System Config page in the main menu under Admin. Select
Modules from the left-hand menu.

Select Amazon AWS from the available Cloud and SaaS Security Modules - a configuration window will open.

5. Locate the field Account IDs and enter the Account ID copied from AWS.

If you are monitoring multiple AWS accounts using the comma-separated method, enter them here. For more
information, please see “Monitoring Multiple AWS Accounts” above.

6. Enter an Account Name. This name is for your own reference and does not need to correspond with any
values entered during the AWS configuration.

Ensure that you save any new field values added to the Darktrace Threat Visualizer System Config page to avoid losing
your changes.

We recommend keeping the System Config page open in a new window or tab while you gather the relevant information
from AWS.
DEPLOYING DARKTRACE AWS SECURITY MODULE 4

Create New CloudTrail

1. Return to the AWS Management Console. Click on Services in the top left of the page, find the Management
and Governance header and click on CloudTrail.

One of two screens will now appear.

◦ If CloudTrails have been created previously, click Trails on the far left bar and then Create trail on the
following screen

◦ If not, click the Get Started Now button in the middle of the screen. This will automatically begin
creation of a new trail.

2. Create a new trail. The trail name can take any value but must be unique from other trails on the account. The
following options should then be selected/entered during the creation process:

◦ Apply trail to all regions should be set to yes.

◦ All management events should be monitored.

◦ Ensure that ‘Select all S3 buckets in your account’ is ticked.

◦ Enter a unique S3 bucket name.

◦ Ensure that the Encrypt Log Files option is set to No, unless KMS encryption is desired.

Where KMS encryption is in place for logs, ensure the IAM user created for Darktrace utilization possesses
the required permissions to decrypt logs.

3. Click the Create button in the bottom right to set up the CloudTrails.

4. Return to the Darktrace Threat Visualizer and navigate again to Amazon AWS configuration started above.
Enter the name of the CloudTrail created into the Darktrace CloudTrail Name field.

Where multiple CloudTrails are logging into one S3 bucket, this CloudTrail will be the only CloudTrail that the
module can manage. For more information, please see Monitoring Multiple AWS Accounts above.

Create New User With CloudTrail Access Permissions

1. From the Amazon Management Console, click on Services in the top left of the page. Find the Security,
Identity & Compliance header and click on IAM.

2. On the far left bar, click on Users and then Add user in the following screen.

3. Create a new user. The name may take any value as long as it is unique from other users.

This user must have programmatic access but does not require AWS management console access.

4. Click Next: Permissions in the bottom right. Darktrace provides a custom policy template for permissions that
will allow the module to:

◦ Access and modify CloudTrails.

◦ Access and configure the S3 bucket associated with the Darktrace module.

Select attach existing policies directly and click on Create Policy.

DEPLOYING DARKTRACE AWS SECURITY MODULE 5

5. On the new tab, select JSON and copy the following JSON template into the policy document:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"cloudtrail:LookupEvents",
"cloudtrail:DescribeTrails"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"cloudtrail:PutEventSelectors",
"cloudtrail:GetEventSelectors"
],
"Resource": [
"arn:aws:s3:::<BUCKET NAME>/*",
"arn:aws:s3:::<BUCKET NAME>",
"arn:aws:cloudtrail:*:<ACCOUNT ID>:trail/<TRAIL NAME>"
]
}
]
}

Where BUCKETNAME is the name of the S3 bucket created for the CloudTrail, ACCOUNT ID is the ID of the
account that the CloudTrail created above is monitoring, and TRAIL NAME is the name of the trail created
above. Adjust the resource string accordingly if the format of your ARNs differs from that provided.

Where multiple CloudTrails are logging into one S3 bucket, this CloudTrail will be the only CloudTrail that the
module can manage. For more information, please see Monitoring Multiple AWS Accounts above.

If KMS encryption is in place for logs, ensure the required permissions to decrypt logs are added to the key
policy.

6. Create a name and description for the policy, then click Create Policy.

7. Switch back to the IAM user creation tab and click Refresh. This will refresh the policy list.

Type the name of the newly created policy, select it and click Next:Tags.

8. Proceed directly to Next:Review. Review the user details and ensure that the AWS access type is
programmatic access with an access key and the newly created policy is located in the permission summary.

9. Clicking Create User will take you to a page with the new user and the corresponding access key ID and
secret access key. Ensure the Darktrace Threat Visualizer is open in another tab or window.

Copy the Access Key ID into the CloudTrail User Access Key field of the Darktrace System Config page

On the AWS new user page, show the secret access key and copy it. Enter it into the CloudTrail User Secret
Access Key on the Darktrace Threat Visualizer System Config page.

10. Remaining in the Threat Visualizer page, enter the name of the new IAM user into the Darktrace CloudTrail
IAM username field.

11. Optionally enable Automatically Configure CloudTrail - this will allow the module to reconfigure the
CloudTrail if misconfigurations are detected or filtering is desired.

12. Click the “Authorize” button to begin monitoring your AWS environment.
DEPLOYING DARKTRACE AWS SECURITY MODULE 6

After attempting to retrieve data for the first time, the module will report whether the poll cycle was successful. If any
errors occur, these will be reported in the Status section
DEPLOYING DARKTRACE AWS SECURITY MODULE 7

Deploying the Module in Restricted Mode

The module can be deployed in a restricted mode where the linked IAM user is granted “read” and “list” permissions to
the S3 bucket containing the monitoring logs, but is not granted access to CloudTrail.

Please note, this mode prevents the module from detecting misconfigurations, automatically retrieving log location
information or managing (deleting) log files.

Monitoring Multiple AWS Accounts

If you wish to monitor multiple AWS accounts which log CloudTrails into the same S3 bucket, there are two methods of
configuration: comma-seperated values or multiple modules. For the first method, Account IDs can be entered as a
comma-separated list in the Account IDs field. For example, “o-e5luotgnx0/9946543668,o-e5luotgnx0/1564025830”. The
alternative option is to authorize Darktrace for each account by fully completing the authorization instructions individually
for each account. In Restricted Mode, the module does not manage CloudTrail, so either method will produce the same
result.

Add AWS Account ID to Darktrace Configuration Page

1. Log into the Amazon AWS Management Console with a user with admin credentials.

2. Click on the username in the top right of the page to reveal a menu. Select My Account.

3. Copy the Account ID shown on the resulting page. If the account belongs to a AWS Organization, the Account
ID must be prefixed with the organization ID separated by a forward slash (e.g., “o-
e5luotgnx0/9946543668”).

If you are unsure whether an organization ID prefix is required, please check the folder structure of the
bucket where logs are being stored. If the structure contains your organization ID - for example …/AWSLogs/
o-e5luotgnx0/9946543668/CloudTrail/… - the organization ID prefix is required in the string provided to
Darktrace.

If the folder structure does not contain the organization ID, for example …/AWSLogs/9946543668/CloudTrail/
…, the organization ID prefix is not required.

4. Within the Threat Visualizer, navigate to the System Config page in the main menu under Admin. Select
Modules from the left-hand menu.

Select Amazon AWS from the available Cloud and SaaS Security Modules - a configuration window will open.

5. Locate the field Account IDs and enter the Account ID copied from AWS.

If you wish to monitor multiple AWS accounts (which log into the same CloudTrail), repeat this process and list
all Account IDs as a comma-separated list. For example “o-e5luotgnx0/9946543668,o-
e5luotgnx0/1564025830”. Note that this is only for accounts which all log into the same CloudTrail bucket.

Alternatively you can authorize Darktrace for each account by fully completing the authorization instructions
individually for each account.

6. Enter an Account Name. This name is for your own reference and does not need to correspond with any
values entered during the AWS configuration.

7. Disable the setting CloudTrail Access Enabled.

Save your changes.

We recommend keeping the System Config page open in a new window or tab while you gather the relevant information
from AWS.
DEPLOYING DARKTRACE AWS SECURITY MODULE 8

Create New CloudTrail

1. Return to the AWS Management Console. Click on Services in the top left of the page, find the Management
and Governance header and click on CloudTrail.

One of two screens will now appear.

◦ If CloudTrails have been created previously, click Trails on the far left bar and then Create trail on the
following screen

◦ If not, click the Get Started Now button in the middle of the screen. This will automatically begin
creation of a new trail.

2. Create a new trail. The trail name can take any value but must be unique from other trails on the account. The
following options should then be selected/entered during the creation process:

◦ Apply trail to all regions should be set to yes.

◦ All management events should be monitored.

◦ Ensure that ‘Select all S3 buckets in your account’ is ticked.

◦ Enter a unique S3 bucket name.

◦ Ensure that the Encrypt Log Files option is set to No, unless KMS encryption is desired.

Where KMS encryption is in place for logs, ensure the IAM user created for Darktrace utilization possesses
the required permissions to decrypt logs.

3. Click the Create button in the bottom right to set up the CloudTrails.

4. Return to the Darktrace Threat Visualizer and navigate again to Amazon AWS configuration started above. In
the CloudTrail S3 Bucket field (requires CloudTrail Access Enabled to be disabled), enter the name of the
S3 bucket that was provided during the CloudTrail configuration.

5. If a log prefix was specified during CloudTrail creation, complete the CloudTrail Log Prefix field (requires
CloudTrail Access Enabled to be disabled). Where multiple CloudTrails are logging to the same bucket,
ensure the log prefix is consistent across all CloudTrails.

Save your changes.

Create New User With Restricted Permissions

1. In the Amazon Management Console, click on Services in the top left of the page. Find the Security, Identity
& Compliance header and click on IAM.

2. On the far left bar, click on Users and then Add user in the following screen.

3. Create a new user. The name may take any value as long as it is unique from other users.

This user must have programmatic access but does not require AWS management console access.

4. Click Next: Permissions in the bottom right. Darktrace has a custom policy for permissions that will allow the
module to access and view CloudTrails. This is a limited permission set valid only for Restricted Mode.

Select attach existing policies directly and click on Create Policy.

DEPLOYING DARKTRACE AWS SECURITY MODULE 9

5. On the new tab, select JSON and copy the following JSON into the policy document with BUCKETNAME
replaced with the name of the S3 bucket created for the CloudTrail:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<BUCKET NAME>",
"arn:aws:s3:::<BUCKET NAME>/*"
]
}
]
}

Adjust the resource string accordingly if the format of your ARNs differs from that provided.

If KMS encryption is in place for logs, ensure the required permissions to decrypt logs are added to the key
policy.

6. Create a name and description for the policy. Click Create Policy.

7. Switch back to the IAM user creation tab and click Refresh. This will refresh the policy list.

Type the name of the newly created policy, select it and click Next:Tags.

8. Proceed directly to Next:Review. Review the user details and make sure that the AWS access type is
programmatic access with an access key and the newly created policy is located in the permission summary.

9. Clicking Create User will take you to a page with the new user and the corresponding access key ID and
secret access key. Ensure the Darktrace Threat Visualizer is open in another tab or window.

Copy the Access Key ID into the CloudTrail User Access Key field of the Darktrace System Config page

On the AWS new user page, show the secret access key and copy it. Enter it into the CloudTrail User Secret
Access Key on the Darktrace Threat Visualizer System Config page.

10. Remaining in the Threat Visualizer page, enter the name of the new IAM user into the Darktrace CloudTrail
IAM username field.

11. Click the “Authorize” button to begin monitoring your AWS environment.

After attempting to retrieve data for the first time, the module will report whether the poll cycle was successful. If any
errors occur, these will be reported in the Status section
DEPLOYING DARKTRACE AWS SECURITY MODULE 10

Available Configuration Options

There are multiple configuration options available for the AWS Security Module - more information about possible
deployment modes can be found in the AWS module brief. All configuration options, including required fields, are
covered below.

FIELD REQUIRED? DESCRIPTION

Account IDs Yes One or more Account IDs for Accounts logging CloudTrail into the bucket specified.

Account The name of the module account in the Threat Visualizer - this will be displayed in all
Yes
Name notices returned from AWS

CloudTrail
The IAM User Access Key generated during configuration. Required for authentication
User Access Yes
to take place.
Key

CloudTrail
The IAM User Secret Access Key generated during configuration. Required for
User Secret Yes
authentication to take place.
Access Key

CloudTrail Mode- The name of the CloudTrail configured for Darktrace monitoring. Required for Standard
Name dependent operation, not required in Restricted Mode.

CloudTrail
The username of the IAM User created for the module to utilize as part of the
IAM User Yes
configuration process.
Name

Automatically
Optional Sets logs to expire after 24 hours at the bucket-level.
Expire Logs

CloudTrail
Mode- Controls Restricted Mode. For standard operation, the field must be set to true. To
Access
dependent enable Restricted Mode, set the field to false to reveal additional configuration settings.
Enabled

CloudTrail In Restricted When in Restricted Mode, the name of the bucket that CloudTrail logs are being sent to.
S3 Bucket Mode Only visible if “CloudTrail Access Enabled” is “False”.

When in Restricted Mode, the optional log prefix of CloudTrails sent to the bucket
CloudTrail In Restricted
specified. If multiple accounts are logging to the same bucket, all prefixes must be
Log Prefix Mode
consistent. Only visible if “CloudTrail Access Enabled” is “False”.

osSensor If enabled, the module will retrieve all EC2 instances within the connected AWS account
Coverage and compare against EC2 instances monitored by osSensors. The module will then
Optional
Detection raise warnings for EC2 instances that are retrieved but not covered by osSensor
(deprecated) monitoring.

Ignored IDs Where osSensor monitoring is enabled, a comma-separated list of EC2 instance IDs to
Optional
(deprecated) ignore.

Ignored
Where osSensor monitoring is enabled, a comma-separated list of subnets to ignore.
Subnets Optional
Also accepts individual IP addresses.
(deprecated)

Automatically
Optional Automatically reconfigures the CloudTrail provided to correct misconfigurations and
Configure
(Recommended) configure filtering.
CloudTrail

Enabling Write-Only Mode will only record AWS “Write” management events in
CloudTrail
CloudTrail. The filter utilizes the read-only and write-only available in AWS CloudTrail -
Write Event Optional
more information can be found in the AWS documentation. Requires “Automatically
Filter
Configure CloudTrail” to be “true”.
US:+1 415 229 9100 UK:+44 (0) 1223 394 100 LATAM:+55 11 4949 7696 APAC:+65 6804 5010 [email protected] darktrace.com