Begin Monitoring an Amazon Web Services App

Configure your Amazon Web Services account to connect to the Aperture service to begin scanning resources to identify policy violations and incidents.
Before you can begin monitoring an Amazon Web Services app, you must configure an Aperture policy, user, and optionally an Amazon bucket for CloudTrail to log events in. As you configure your Amazon Web Services account, note the following values required to complete the setup of the Amazon Web Services app within Aperture:
ItemDescription
AWS account ID
Required to enable the Amazon Web Services Bucket created in CloudTrail.
Access key ID
Enables Aperture service permission to access Amazon Web Services.
Secret access key
The administrator root access key used to configure IAM services.
CloudTrail bucket name (or full path if the CloudTrail feature is already enabled)
Enables the Amazon Web Services app to log management and data events to a CloudTrail bucket of your choice.
Region
The monitored CloudTrail region.
To begin monitoring an Amazon Web Services app:
  1. Prepare your Amazon Web Services account to work with the Aperture service.
    1. Log in to the AWS Console (aws.amazon.com).
    2. Select ServicesSecurity, Identity & ComplianceIAM.
    3. Configure the Aperture policy. The aperture service will use this policy to connect to the Amazon Web Services app.
      1. Select PoliciesCreate policy and then select Create Your Own Policy.
      2. Enter the Policy Name as aperture-aws-policy and provide an optional description of the policy.
      3. Copy and paste the following configuration into the Policy Document section:
        { 
        
        	"Version": "2012-10-17", 
        
        	"Statement": [  
        
        	{   
        
        	"Effect": "Allow",   
        
        	"Action": [    
        
        	"ec2:DescribeInstances",    
        
        	"ec2:DescribeSecurityGroups",    
        
        	"ec2:DescribeImages",    
        
        	"ec2:DescribeVolumes",    
        
        	"iam:List*",    
        
        	"iam:Get*",    
        
        	"kms:ListKeys",    
        
        	"kms:DescribeKey",    
        
        	"kms:GetKeyRotationStatus",    
        
        	"cloudtrail:GetTrailStatus",    
        
        	"cloudtrail:DescribeTrails",    
        
        	"cloudtrail:LookupEvents",    
        
        	"cloudtrail:ListTags",    
        
        	"cloudtrail:ListPublicKeys",    
        
        	"cloudtrail:GetEventSelectors"   
        
        	],   
        
        	"Resource": "*"  
        
        	} 
        
        	]
        
        }
        
      4. Click Create Policy.
    4. Configure the account the Aperture service will use to access the Amazon Web Services logs:
      1. Select UsersAdd user.
      2. Enter the username as aperture-aws_ec2_and_iam-user.
      3. To generate an access key ID and secret access key for Aperture to use to access the Amazon Web Services service, enable Programmatic access.
      4. Select Next: Permissions.
      5. Select Attach existing policies directly and select the policy aperture-aws_ec2_and_iam-policy.
      6. Search for and select the check box next to the policy you created in the previous step.
      7. Click Next: ReviewCreate User.
        amazon-aws-create-user.png
        Note your Access key ID and Secret access key.
      8. Click Close.
    5. (Optional) If you have CloudTrail logging enabled for all regions, skip this step, if not, configure CloudTrail logging. This feature enables the Amazon Web Services app to log management and data events to a CloudTrail bucket of your choice.
      1. To copy your AWS account ID into memory, click on your username at the top right, select the Account number, and press Ctrl-C. You will need the number later in this procedure.
      2. Select ServicesManagement ToolsCloudTrailTrailsAdd new trail.
      3. Enter the Trail name aperture-aws_ec2_and_iam-trail.
      4. Set Apply trail to all Regions to Yes.
      5. To create a bucket in which CloudTrail will store management and data event logs, enter the S3 bucket name as aperture-aws_EC2<AWS account ID> in the Storage location area.
        amazon-aws-trail-summary.png
        Take note of the AWS bucket (CloudTrail bucket name).
    6. Click Create.
  2. Add the Amazon Web Services app to Aperture.
    1. From the Aperture Dashboard, Add a Cloud App.
    2. Select Amazon Web Services.
      amazon-aws-tile-frame-prod.png
    3. Configure your Amazon Web Services settings. There are two methods to set up the Amazon Web Services app in Aperture based on whether you already had CloudTrail logging set up in your AWS account or if you set it up per the instructions in this procedure.
      • New CloudTrail configuration
        1. Click Connect to Account.
          aws-keys.png
        2. Enter the Access Key ID, Secret Access Key, and the AWS Account ID, you noted in the previous steps.
    4. Click OK.
      The Aperture service adds the Amazon Web Services app to the list of Cloud Apps.
  3. (Optional) Give a descriptive name to this app instance and specify an incident reviewer.
    1. Select the Amazon Web Services link on the Cloud Apps list.
    2. Enter a descriptive Name to differentiate this instance of Amazon Web Services from other instances you are managing.
  4. Define global settings.
  5. Add policy rules.
    When you add a new cloud app, the Aperture service automatically monitors the app against the default data patterns and displays the match occurrences. As a best practice, consider the business use of your app to determine whether you want to Add a New Policy Rule for Content to look for risks unique to the new app.
  6. (Optional) Configure or edit a data pattern.
    When you add a new cloud app, the Aperture service automatically monitors the app against the default data patterns and displays the match occurrences. You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
  7. Start monitoring the new Amazon Web Services app for risks.
    1. Select SettingsCloud Apps & Scan Settings.
    2. In the Cloud Apps row that corresponds to the new Amazon Web Services app, select ActionsStart Scanning.
      The Aperture service starts monitoring all assets in the associated Amazon Web Services app and begins identifying incidents. Depending on the number of Amazon Web Services assets, it may take some time for the Aperture service to complete the process of discovering all assets and users. However, as soon as you begin to see this information populating on the Aperture Dashboard, you can begin to Assess Incidents.
  8. Monitor the results.
    As the Aperture service starts monitoring files and matching them against enabled policy rules, Monitor Scan Results on the Dashboard to verify that your policy rules are effective.
    Monitoring the progress during the discovery phase allows you to Fine-Tune Policy to modify the match criteria and ensure better results.

Related Documentation