Create an Assumed Role - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-17
Category
Administrator Guide
Abstract

Learn about creating an AWS Assumed Role for Cortex XSIAM.

If you do not designate a separate AWS IAM user to provide access to Cortex XSIAM to your logs and to perform API operations, you can create an assumed role in AWS to delegate permissions to a Cortex XSIAM AWS service. This role grants Cortex XSIAM access to your logs. For more information, see Creating a role to delegate permissions to an AWS service.

When setting up any type of Amazon S3 Collector in Cortex XSIAM, these instructions explain setting up an Assumed Role.

  1. Log in to the AWS Management Console to create a role for Cortex XSIAM.

    Refer to the AWS instructions for guidance.

    1. Create the role in the same region as your AWS account, and use the following values and options when creating the role.

      • Type of Trusted → Another AWS Account, and specify the Account ID as 006742885340. When using a Cortex XSIAM FedRAMP environment, specify the Account ID as 685269782068.

      • Select Options for the Require external ID, which is a unique alphanumeric string, and generate a secure UUIDv4 using an Online UUID Generator. Copy the External ID as you will use this when configuring the Amazon S3 Collector in Cortex XSIAM .

        Note

        In AWS this is an optional field to configure, but this must be configured to set up the Amazon S3 Collector in Cortex XSIAM .

      • Do not enable MFA. Verify that Require MFA is not selected.

      create-a-role-assumed-role.png

    2. Click Next and add the AWS Managed Policy for Security Audit.

      create-a-role-security-audit.png

      Then, add a role name and create the role. In this workflow, later, you will create the granular policies and edit the role to attach the additional policies.

  2. Create the policy that defines the permissions for the Cortex XSIAM role.

    1. Select IAM on the AWS Management Console.

    2. In the navigation pane on the left, select Access Management → Policies → Create Policy.

    3. Select the JSON tab.

      Copy the following JSON policy and paste it within the editor window.

      Note

      The <s3-arn> and <sqs-arn> placeholders. These will be filled out later depending on which Amazon S3 logs you are configuring, including network flow logs, audit logs, or generic logs.

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "<s3-arn>/*"
        },
        {
            "Effect": "Allow",
             "Action": [
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage",
                "sqs:ChangeMessageVisibility"
            ],
            "Resource": "<sqs-arn>"
        }
    ]
}

    4. Review and create the policy.

  3. Edit the role you created in Step 1 and attach the policy to the role.

  4. Copy the Role ARN.

    arn-assumed-role.png

  5. Continue with the task for the applicable Amazon S3 logs you want to configure.

    The following type of logs are available.