Create an Assumed Role - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-03-22
Last date published
2023-09-21
Category
Administrator Guide

If you do not designate a separate AWS IAM user to provide access to Cortex XDR to your logs and to perform API operations, you can create an assumed role in AWS to delegate permissions to a Cortex XDR AWS service. This role grants Cortex XDR access to your logs. For more information, see Creating a role to delegate permissions to an AWS service.

When setting up any type of Amazon S3 Collector in Cortex XDR, these instructions explain setting up an Assumed Role.

  1. Log in to the AWS Management Console to create a role for Cortex XDR.

    Refer to the AWS instructions for guidance.

    1. Create the role in the same region as your AWS account, and use the following values and options when creating the role.

      • Type of TrustedAnother AWS Account, and specify the Account ID as 006742885340. When using a Cortex XDR FedRAMP environment, specify the Account ID as 685269782068.

      • Select Options for the Require external ID, which is a unique alphanumeric string, and generate a secure UUIDv4 using an Online UUID Generator. Copy the External ID as you will use this when configuring the Amazon S3 Collector in Cortex XDR .

        Note

        In AWS this is an optional field to configure, but this must be configured to set up the Amazon S3 Collector in Cortex XDR .

      • Do not enable MFA. Verify that Require MFA is not selected.

      create-a-role-assumed-role.png
    2. Click Next and add the AWS Managed Policy for Security Audit.

      create-a-role-security-audit.png

      Then, add a role name and create the role. In this workflow, later, you will create the granular policies and edit the role to attach the additional policies.

  2. Create the policy that defines the permissions for the Cortex XDR role.

    1. Select IAM on the AWS Management Console.

    2. In the navigation pane on the left, select Access ManagementPoliciesCreate Policy.

    3. Select the JSON tab.

      Copy the following JSON policy and paste it within the editor window.

      Note

      The <s3-arn> and <sqs-arn> placeholders. These will be filled out later depending on which Amazon S3 logs you are configuring, including network flow logs, audit logs, or generic logs.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": "s3:GetObject",
                  "Resource": "<s3-arn>/*"
              },
              {
                  "Effect": "Allow",
                   "Action": [
                      "sqs:ReceiveMessage",
                      "sqs:DeleteMessage",
                      "sqs:ChangeMessageVisibility"
                  ],
                  "Resource": "<sqs-arn>"
              }
          ]
      }
    4. Review and create the policy.

  3. Edit the role you created in Step 1 and attach the policy to the role.

  4. Copy the Role ARN.

    arn-assumed-role.png
  5. Continue with the task for the applicable Amazon S3 logs you want to configure.

    The following type of logs are available.