Configuring AWS credentials

In order to make the Wazuh AWS module pull log data from the different services, it will be necessary to provide access credentials so it can connect to them.

There are multiple ways to configure the AWS credentials:

Create an IAM User

Wazuh will need a user with permissions to pull log data from the S3 bucket. The easiest way to accomplish this is by creating a new IAM user for your account. We will only allow it to read data from the bucket.

  1. Create new user:

Navigate to Services > IAM > Users

Click on “Next: Permissions” to continue.

  1. Create policy:

We will attach this policy later to the user we are creating.

Check that your new policy looks like this:

Raw output for the example policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::wazuh-cloudtrail",
        "arn:aws:s3:::wazuh-cloudtrail/*"
      ]
    }
  ]
}

Note

The s3:DeleteObject action is only required if the logs will be removed from the S3 bucket by the aws-s3 module.

  1. Attach policy:
  1. Confirm user creation and get credentials:

Save the credentials, you will use them later to configure the module.

Authenticating options

Credentials can be loaded from different locations, you can either specify the credentials as they are in the previous block of configuration, assume an IAM role, or load them from other Boto3 supported locations..

Profiles

You can define profiles in your credentials file (~/.aws/credentials) and specify those profiles on the bucket configuration.

Note

A region must be also specified on the credentials file in order to make it work.

For example, the following credentials file defines three different profiles: default, dev and prod.

[default]
aws_access_key_id=foo
aws_secret_access_key=bar
region=us-east-1

[dev]
aws_access_key_id=foo2
aws_secret_access_key=bar2
region=us-east-1

[prod]
aws_access_key_id=foo3
aws_secret_access_key=bar3
region=us-east-1

To use the prod profile in the AWS integration you would use the following bucket configuration:

<bucket type="cloudtrail">
  <name>my-bucket</name>
  <aws_profile>prod</aws_profile>
</bucket>

IAM Roles

Warning

This authentication method requires some credentials to be previously added to the configuration using any other authentication method.

IAM Roles can also be used to access the S3 bucket. Follow these steps to create one:

  1. Go to Services > Security, Identity & Compliance > IAM.
  1. Select Roles in the right menu and click on the Create role button:
  1. Select S3 service and click on Next: Permissions button:
  1. Select the previously created policy:
  1. Click on Create role button:
  1. Access to role summay and click on its policy name:
  1. Add permissions so the new role can do sts:AssumeRole action:
  1. Come back to the role’s summary, go to Trust relationships tab and click on Edit trust relationship button:
  1. Add your user to the Principal tag and click on Update Trust Policy button:

Once your role is created, just paste it on the bucket configuration:

 <bucket type="cloudtrail">
   <name>my-bucket</name>
   <access_key>xxxxxx</access_key>
   <secret_key>xxxxxx</secret_key>
   <iam_role_arn>arn:aws:iam::xxxxxxxxxxx:role/wazuh-role</iam_role_arn>
</bucket>

IAM roles for EC2 instances

You can use IAM roles and assign them to EC2 instances so there’s no need to insert authentication parameters on the ossec.conf file. This is the recommended configuration. Find more information about IAM roles on EC2 instances in the official Amazon AWS documentation.

This is an example configuration:

<bucket type="cloudtrail">
  <name>my-bucket</name>
</bucket>

Environment variables

If you’re using a single AWS account for all your buckets this could be the most suitable option for you. You just have to define the following environment variables:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY

Insert the credentials into the configuration

Another available option to set up credentials is writing them right into the Wazuh configuration file (/var/ossec/etc/ossec.conf), inside of the <bucket> block on the module configuration.

This is an example configuration:

<bucket type="cloudtrail">
  <name>my-bucket</name>
  <access_key>insert_access_key</access_key>
  <secret_key>insert_secret_key</secret_key>
</bucket>