Create an Assumed Role for Cortex XDR

Understanding how to create an AWS Assumed Role for Cortex XDR.
If you do not designate a separate AWS IAM user to provide access to Cortex XDR to your logs and to perform API operations, you can create an assumed role in AWS to delegate permissions to a Cortex XDR AWS service. This role grants Cortex XDR access to your logs. For more information, see Creating a role to delegate permissions to an AWS service.
When setting up any type of Amazon S3 Collector in Cortex XDR, these instruction explain setting up an
Assumed Role
.
  1. Log in to the AWS Management Console to create a role for Cortex XDR.
    Refer to the AWS instructions for guidance.
    1. Create the role in the same region as your AWS account, and use the following values and options when creating the role.
      • Type of Trusted
        Another AWS Account
        , and specify the
        Account ID
        as
        006742885340
        .
      • Select
        Options
        for the
        Require external ID
        , which is a unique alphanumeric string, and generate a secure UUIDv4 using an Online UUID Generator. Copy the
        External ID
        as you will use this when configuring the Amazon S3 Collector in Cortex XDR.
        In AWS this is an optional field to configure, but this must be configured to set up the Amazon S3 Collector in Cortex XDR.
      • Do not enable MFA. Verify that
        Require MFA
        is not selected.
    2. Click
      Next
      and add the AWS Managed Policy for
      Security Audit
      .
      Then, add a role name and create the role. In this workflow, later, you will create the granular policies and edit the role to attach the additional policies.
  2. Create the policy that defines the permissions for the Cortex XDR role.
    1. Select
      IAM
      on the AWS Management Console.
    2. In the navigation pane on the left, select
      Access Management
      Policies
      Create Policy
      .
    3. Select the
      JSON
      tab.
      Copy the following JSON policy and paste it within editor window.
      The
      <s3-arn>
      and
      <sqs-arn>
      placeholders. These will be filled out later depending on which Amazon S3 logs you are configuring, including network flow logs, audit logs, or generic logs.
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "<s3-arn>/*" }, { "Effect": "Allow", "Action": [ "sqs:ReceiveMessage", "sqs:DeleteMessage", "sqs:ChangeMessageVisibility" ], "Resource": "<sqs-arn>" } ] }
    4. Review and create the policy.
  3. Edit the role you created in Step 1 and attach the policy to the role.
  4. Copy the
    Role ARN
    .
  5. Continue with the task for the applicable Amazon S3 logs you want to configure.

Recommended For You