AWS Account

To add an AWS device, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

To utilize Amazon Web Services (AWS), you will need to create a virtual private cloud (VPC). This is done from the AWS Management Console.

  1. Create the VPC.
    • Networking > VPC.
    • Click Launch VPC Wizard.
    • Select a VPC configuration that best fits your business requirements, and then click Select.
    • Enter the required data specific to your business requirements, and then click Create VPC.
  2. Create a user account.
    1. From the AWS Management Console > Administration & SecurityIdentity & Access Management.
    2. Click Users > Create New Users.
    3. Enter a user name, and then select the Generate an access key for each user check box.

    Note Be sure the Generate an access key for each user check box is selected before clicking Create.

  1. Click Create.
  2. Click Show User Security Credentials, and write down the Access Key ID and Secret Access Key or click Download Credentials. These will be needed to add the device in Security Manager.

If you will use the IAM role to delegate permissions to an IAM user, please review Amazon's AWS documentation for Creating IAM roles.

  1. Attach a policy to the user.
    1. From the IAM dashboard, click Access management > Users.
      • For retrieval and automation:
        1. Click the user name, and then click Add permissions > Add permissions.
        2. Click Attach policies directly.
        3. Select the checkbox for AmazonEC2FullAccess.
      •  For retrieval only:
        1. Click the user name, and then click Add permissions > Create inline policy.
        2. For Policy Editor, select JSON.
        3. Enter the provided JSON into the editor.

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:Describe*",

"ec2:GetManagedPrefixListEntries",

"ec2:SearchTransitGatewayRoutes"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": "elasticloadbalancing:Describe*",

"Resource": "*"

},

{

"Effect": "Allow",

"Action": [

"cloudwatch:ListMetrics",

"cloudwatch:GetMetricStatistics",

"cloudwatch:Describe*"

],

"Resource": "*"

},

{

"Effect": "Allow",

"Action": "autoscaling:Describe*",

"Resource": "*"

}

]

}

    This JSON policy provides explicit permissions for various AWS actions, allowing for read-only access to the specified AWS resources and services within the context of SIP's supported features. Please review AWS documentation for Creating IAM policies.

  1. Set the STS service.

    Important: This setting should be applied to the base account.

    1. Sign in as a root user or a user with permissions to perform IAM administration tasks. To change the compatibility of session tokens, you must have a policy that allows the iam:SetSecurityTokenServicePreferences action.

    2. Open the IAM console. In the navigation pane, select Account settings.

    3. In Security Token Service (STS) section, select Session Tokens from the STS endpoints. The Global endpoint indicates Valid only in AWS Regions enabled by default.

    4. Select Change.

    5. In the Change region compatibility dialog box, select All AWS Regions, and then click Save changes.

    Please review AWS documentation for Managing AWS STS.

Step 2: Onboard the Device in the Administration Module

  1. On the toolbar, click Device > Devices.
  1. Click Create, and then click Amazon Web Services > AWS Account.
  1. General Properties section.

To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.

  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match name (optional). You can enter multiple comma-separated names.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. Collection Configuration is enabled on the management station or by duplicating and then editing the default configuration (DeviceCollection Configuration). Default is what is set on the installed device pack.
  1. Device Settings section.

Credentials - You can either use the IAM Role or standard access as credentials, but not both.

  • Access Key ID—this is provided by AWS.
  • Access Key Secret— this is provided by AWS.

Select the Use IAM Role checkbox to delegate access with defined permissions to trusted entities. Creating an IAM role user in AWS will generate the needed information.

    If you will use the IAM role to delegate permissions to an IAM user, please review AWS documentation for Creating IAM roles.

  • Base Access Key ID

  • Base Access Key Secret

  • IAM Assume Role

  1. Proxy Settings section.

  • Proxy Server—this is the IP address of the proxy server.
  • Proxy Username—this is the user name for authentication.
  • Proxy Password—this is the password for the user name.
  1. Monitoring section.

If you use log monitoring, you must first set up AWS VPC flow logs.

Select the Enable Log Monitoring check box to begin monitoring.

  • By default, Track Usage Via is set to Hit Counters.

  • By default, the Count Retrieval Interval is set to 10 minutes.

  • By default, the Flow Log Search Window is set to 24 hours for when the system should retrieve hit counter data. The value must be between 1 and 72 hours.

  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. This will activate additional fields to complete.

  • Set the Scheduled Retrieval Time to fit your requirements.

  • Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. This will activate an additional field to complete.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

  1. Advanced section.
    • File Retrieval Options: Enter the NTP Server that will be used to check for clock offset if AWS rejects the device credentials. Leaving this setting field blank disables this check.
    • Region Retrieval Options: You can restrict access to a specific region or regions. SIP defaults to 'us-east-1', which may not be allowed depending on how you configure permissions. To override this setting, select a different region from the list.
  2. Enforcement section.

Select one of the available enforcement options:

  •  Allow All: All automation is allowed (enforcement, change, manual).

  • Manual Only: When selected all changes must be manually pushed for this device.

  •  Prevent All: No automation is allowed.

  • Window Only: Automation can only take place in the assigned enforcement window.

If this device is assigned to an enforcement or change window, it will be listed. If no assignment, changes must be manually pushed for this device.

  1. Supplemental Routes section.

Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before continuing.

  1. Click Add.

  2. Complete fields in the Add Supplemental Routes dialog box:

  • Select an Interface.

If you select an Interface, you will not need to select a virtual router and next virtual router. If no interface is selected, you will need to select a Virtual Router and Next Virtual Router.

  • Type the Destination IP address.
  • Type the Gateway IP address.
  • Select a Virtual Router.
  • Select a Next Virtual Router.
  • Switch the Drop toggle to enable (disabled = Accept).
  • Click Add.
  1. Click Save.

Step 3: Verify Communication

Because automatically retrieving a configuration is enabled by default, there is nothing for you to do. Security Manager will automatically attempt to retrieve a device configuration.

To do a manual retrieval, select the device row, click the Menu icon and then click Retrieve Configuration.

It may take up to 15 minutes to see the status result of the retrieval.