Create an assumed role - Learn about creating an AWS Assumed Role for Cortex XSIAM. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Log in to the AWS Management Console, and open the IAM console to create a policy in the same region as your AWS account.

1. In the navigation pane on the left, select Access Management → Policies, and click Create policy.

2. For the Policy editor, select the JSON tab.

3. Copy the following JSON policy and paste it within the editor window.

   The <s3-arn> and <sqs-arn> are placeholders. These are filled out using the S3 bucket and SQS that you configured in the prerequisite steps above.

   Note

   • You can retrieve your bucket’s ARN by opening the Amazon S3 Console in a browser window. In the Buckets section, select the bucket, click Copy ARN, and paste the ARN in the field.

   • You can retrieve the SQS queue ARN by opening another instance of the AWS Management Console in a browser window, and opening the Amazon SQS Console, and selecting the Amazon SQS that you created. In the Details section, under ARN, click the copy icon ()), and paste the ARN in the field.

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": "s3:GetObject",
               "Resource": "<s3-arn>/*"
           },
           {
               "Effect": "Allow",
                "Action": [
                   "sqs:ReceiveMessage",
                   "sqs:DeleteMessage",
                   "sqs:ChangeMessageVisibility"
               ],
               "Resource": "<sqs-arn>"
           }
       ]
   }

4. Click Next.

5. Review and create the policy.

Create a role for Cortex XSIAM in the IAM console of the AWS Management Console.

1. In the navigation pane on the left, select Access Management → Roles, and click Create role.

2. Select trusted entity, and use the following values and options when creating the role:

   • Trusted entity type: Select Custom trust policy.

   • Custom trust policy: On the right pane, configure the following settings.

     • Under Edit statement → Read or write, verify the AssumeRole is selected.

     • Add a principle by clicking Add and setting the following:

       • Principal type: Select AWS account and root user.

       • ARN: Replace (Account) with the Account ID 006742885340. When using a Cortex XSIAM FedRAMP environment, specify the Account ID as 685269782068.

       When you are finished, click Add principal.

     • Add a condition for an External ID by clicking Add and setting the following:

       • Condition key: Select sts:ExternalId.

       • Qualifier: Select Default.

       • Operator: Select StringEquals.

       • Value: Enter the value of the External ID, a unique alphanumeric string, by generating a secure UUIDv4 using an Online UUID Generator. Copy the External ID as you will use this when configuring the Amazon S3 Collector in Cortex XSIAM.

       

       When you are finished, click Add condition.

   

3. Click Next and add permissions by selecting the policy you created.

   

Click Next to name, review, and create.

Copy the Policy ARN and Role ARN for future use by opening the policy and role that you created.

Continue with the task for the applicable Amazon S3 logs you want to configure.

The following type of logs are available.