AWS (Amazon Web Services) is a comprehensive, evolving cloud computing platform provided by Amazon that includes a mixture of infrastructure as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS) offerings.

Lucidum uses the AWS connector to ingest data from the following AWS services:

  • AWS Database Services (DynamoDB)

  • AWS EC2 Instance

  • AWS IAM User/Policy

  • AWS EKS Kubernetes Service

  • AWS ECS Container Service

  • AWS S3 File Storage

  • AWS Inspector

  • AWS Logs (CloudWatch/CloudTrail)

  • AWS ELB Load Balancer

  • AWS Elastic Network Interface

  • AWS Security Groups

  • AWS Route53

  • AWS Lambda Function

  • AWS Config

  • AWS Organizations

  • AWS Elastic Cache

  • AWS Workspaces

Requirements

To use the AWS Connector in Lucidum:

  1. If you want to monitor multiple instances of AWS, you must define cross-account access that allows Lucidum to ingest information from multiple AWS accounts.

  2. You can then configure the AWS connector in Lucidum and start ingesting data from AWS.

Prerequisite: Define Cross-Account Access in AWS

If you want to use Lucidum to monitor multiple AWS account, you can use cross-account access. With cross-account access, the Lucidum can assume roles that allow it to ingest data from multiple AWS accounts.

To define cross-account access, you must create a role in each AWS account(s) and allow the EC2 server running the Lucidum system to assume this role.

In each of the additional AWS accounts you want to access with a Lucidum Connector:

  1. Log in to the AWS Management Console as an administrator for the account you want to allow Lucidum to access. Open the IAM console at https://console.aws.amazon.com/iam/. You will create a new role that allows Lucidum to access the account.

  2. In the navigation pane on the left, choose Policies.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Type or paste the following JSON text:

    {
      "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Action": [
                    "cloudtrail:Describe*",
                    "cloudtrail:Get*",
                    "cloudtrail:List*",
                    "cloudtrail:LookupEvents",
                    "cloudwatch:Describe*",
                    "cloudwatch:Get*",
                    "cloudwatch:List*",
                    "codecommit:List*",
                    "codecommit:Get*",
                    "config:Describe*",
                    "config:Get*",
                    "config:List*",
                    "dynamodb:Describe*",
                    "dynamodb:List*",
                    "dynamodb:Scan",
                    "ec2:Describe*",
                    "ec2:Get*",
                    "ecr:Batch*",
                    "ecr:Describe*",
                    "ecr:Get*",
                    "ecr:List*",
                    "ecs:Describe*",
                    "ecs:List*",
                    "eks:Describe*",
                    "eks:List*",
                    "elasticache:Describe*",
                    "elasticloadbalancing:Describe*",
                    "guardduty:Get*",
                    "guardduty:List*",
                    "iam:Get*",
                    "iam:List*",
                    "inspector:Describe*",
                    "inspector:Get*",
                    "inspector:List*",
                    "kms:Describe*",
                    "kms:Get*",
                    "kms:List*",
                    "lambda:Get*",
                    "lambda:List*",
                    "logs:PutLogEvents",
                    "logs:CreateLogStream",
                    "logs:CreateLogGroup",
                    "logs:Describe*",
                    "logs:FilterLogEvents",
                    "logs:Get*",
                    "logs:List*",
                    "organizations:Describe*",
                    "organizations:List*",
                    "pricing:Describe*",
                    "pricing:Get*",
                    "route53:List*",
                    "s3:Get*",
                    "s3:List*",
                    "securityhub:Describe*",
                    "securityhub:Get*",
                    "securityhub:List*",
                    "sns:List*",
                    "ssm:Describe*",
                    "ssm:Get*",
                    "sts:Get*",
                    "sts:AssumeRole",
                    "tag:Get*",
                    "workspaces:Describe*"
        ],
        "Resource": "*"
      }
    }
    CODE
  6. Choose Review policy.

  7. Choose Next: Tags

  8. On the Review policy page, type the following:

    • Name. Type Lucidum-Readonly-Policy.

    • Description (optional) for the policy that you are creating.

  9. Review the policy Summary.

  10. Then choose Create policy to save your work.

  11. In the IAM console, choose Roles from the left menu.

  12. Choose Create Role.

  13. Create a new role, named lucidum_assume_role.

  14. Choose Another AWS Account. Enter the following:

    • Account ID. Type the AWS account where your Lucidum instance resides.

    • Leave the other two options unchecked.

  15. Click Next.

  16. To attach the policy Lucidum-Readonly-Policy to lucidum_assume_role, select the checkbox next to Lucidum-Readonly-Policy.

  17. Click Next

  18. Enter the details to create the role and save and create the new role.

  19. Select the lucidum_asssume_role. Change the maximum session duration to 4 hours and click Save changes.

  20. Check the “Trust relationships” tab. The policy should look like this:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::[AWS primary account ID]:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {}
        }
      ]
    }
    
    
    CODE
  21. Perform steps 1-20 for each additional AWS account you want Lucidum to connect to.

  22. For each new Role, find and note the ARN:

    • In the navigation pane of the IAM console, choose Roles.

    • In the list of roles, choose the role.

    • In the Summary section of the details pane, copy the Role ARN value.

    • Login to the IAM console for your Lucidum EC2 instance. You will perform steps that allow Lucidum to assume the new role.

  23. In the navigation pane on the left, choose Policies.

  24. Choose Create policy.

  25. Choose the JSON tab.

  26. Type or paste the following JSON text:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Resource": [
                    "arn:aws:iam::[AWS additional account ID 1]:role/lucidum_assume_role",
                    "arn:aws:iam::[AWS additional account ID 2]:role/lucidum_assume_role"
                ]
            }
        ]
    CODE

    where:

    • AWS additional account ID is the ARN for each account you want to allow Lucidum to access.

    Copy and paste the line that begins with “arn:aws:iam” for each account you want to access with Lucidum.

  27. On the Review policy page, type the following:

    • Name. Type Lucidum-Assume-Accounts-Policy.

    • Description (optional) for the policy that you are creating.

  28. Attach the Lucidum-Assume-Accounts-Policy policy to the EC2 instance for the Lucidum system.

  29. Lucidum is now able to assume the roles from additional AWS accounts.

Configuring the AWS Connector

To configure Lucidum to ingest data from AWS:

  1. Log in to Lucidum.

  2. In the left pane, click Connector.

  3. In the Connector page, click Add Connector.

  4. Scroll until you find the Connector for AWS. Click Connect. The Settings page appears.

  5. In the Settings page, enter the following:

    • Access Key ID. Provide the AWS Access Key ID for the AWS account you want to ingest data from.

      • If you specify a value in the Role name field, you can leave this blank.

    • Access Key Secret. Provide the AWS Access Key Secret for the AWS account you want to ingest data from.

      • If you specify a value in the Role name field, you can leave this blank.

    • External role ID (optional). The default value is “lucidum access”. External Role ID for the cross-account role.

    • Role duration (optional). Duration for cross-account role assuming. By default, Lucidum will set the duration as 4 hours.

    • Role name. Role Name for cross-account role assuming. In the previous section, you created the role lucidum_assume_role.

      • If you specified values in Access key ID and Access key secret, you can leave this blank.

    • AWS accounts (optional). Account ID for each AWS account that will allow Lucidum to use an IAM role to ingest data. For example, [111111111111, 222222222222]

  6. To test the configuration, click Test.

    • If the connector is configured correctly, Lucidum displays a list of services that are accessible with the connector.

    • If the connector is not configured correctly, Lucidum displays an error message.

Supported Actions

The AWS Connector supports these Actions in Lucidum:

  • Start/Stop AWS EC2 instances

  • Add Tag to AWS EC2 instance

  • Remove Tag from AWS EC2 instance