Skip to main content

Integrate with AWS

Before starting

Before starting, you should decide which parts of your AWS ecosystem you want to monitor. You may choose to monitor the entire AWS organization or single accounts. If you want SlashID to protect all the data in your AWS Organization, you must use an organization management account for setup. Otherwise, SlashID will monitor only the data in the specified AWS account.

Set up the connection

  1. In your AWS Management Console > IAM > Policies, create a new policy:
  • Policy editor: JSON
  • Paste the following policy in the Policy editor. This policy contains all the permissions needed to automatically set up the connection between SlashID and AWS.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:GetCallerIdentity",
        "sts:AssumeRole"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:DescribeOrganization",
        "organizations:ListAccounts",
        "organizations:ListRoots",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:EnableAWSServiceAccess",
        "organizations:ListOrganizationalUnitsForParent",
        "organizations:ListChildren",
        "organizations:ListDelegatedAdministrators",
        "organizations:ListDelegatedServicesForAccount",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:DeregisterDelegatedAdministrator"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:CreateRole",
        "iam:PutRolePolicy",
        "iam:AttachRolePolicy",
        "iam:DetachRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:PassRole",
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/slashid-*",
        "arn:aws:iam::*:role/AWSCloudFormationStackSet*",
        "arn:aws:iam::*:role/service-role/AWSCloudFormationStackSet*",
        "arn:aws:iam::*:role/aws-service-role/cloudtrail.amazonaws.com/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:CreateStackSet",
        "cloudformation:CreateStack",
        "cloudformation:UpdateStack",
        "cloudformation:DescribeStacks",
        "cloudformation:DeleteStack",
        "cloudformation:UpdateStackSet",
        "cloudformation:DescribeStackSet",
        "cloudformation:DeleteStackSet",
        "cloudformation:CreateStackInstances",
        "cloudformation:UpdateStackInstances",
        "cloudformation:DescribeStackSetOperation",
        "cloudformation:DeleteStackInstances",
        "cloudformation:ListStackSetOperations"
      ],
      "Resource": [
        "arn:aws:cloudformation:*:*:stackset/slashid-*:*",
        "arn:aws:cloudformation:*:*:stack/slashid-*/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ssm:PutParameter",
        "ssm:GetParameter",
        "ssm:DeleteParameter"
      ],
      "Resource": "arn:aws:ssm:*:*:parameter/slashid/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "events:ListConnections",
        "events:DescribeConnection",
        "events:ListEventBuses",
        "events:ListRules",
        "events:ListTargetsByRule",
        "events:DeleteConnection",
        "events:DeleteRule",
        "events:CreateApiDestination",
        "events:ListApiDestinations",
        "events:DeleteApiDestination",
        "ec2:DescribeRegions"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "events:PutRule",
        "events:PutTargets",
        "events:DeleteRule",
        "events:RemoveTargets",
        "events:DescribeRule",
        "events:ListTargetsByRule"
      ],
      "Resource": "arn:aws:events:*:*:rule/slashid-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:CreateSecret",
        "secretsmanager:PutResourcePolicy",
        "secretsmanager:TagResource",
        "secretsmanager:GetSecretValue",
        "secretsmanager:DeleteSecret"
      ],
      "Resource": "arn:aws:secretsmanager:us-east-1:228209566706:secret:events!connection/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "events:CreateEventBus",
        "events:DeleteEventBus",
        "events:DescribeEventBus"
      ],
      "Resource": "arn:aws:events:*:*:event-bus/slashid-*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "events:CreateConnection",
        "events:DeleteConnection"
      ],
      "Resource": "arn:aws:events:*:*:connection/slashid-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:CreatePolicy",
        "organizations:DeletePolicy",
        "organizations:UpdatePolicy",
        "organizations:DescribePolicy",
        "organizations:AttachPolicy",
        "organizations:DetachPolicy",
        "organizations:ListPolicies",
        "organizations:ListPoliciesForTarget",
        "organizations:ListTargetsForPolicy"
      ],
      "Resource": [
        "arn:aws:organizations::*:policy/service_control_policy/*",
        "arn:aws:organizations::*:root/*",
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:CreateStackSet",
        "cloudformation:UpdateStackSet",
        "cloudformation:DeleteStackSet",
        "cloudformation:DescribeStackSet",
        "cloudformation:CreateStackInstances",
        "cloudformation:DeleteStackInstances",
        "cloudformation:ListStackInstances",
        "cloudformation:DescribeStacks",
        "cloudformation:CreateStack",
        "cloudformation:UpdateStack",
        "cloudformation:DeleteStack",
        "iam:PassRole",
        "iam:CreateRole",
        "iam:AttachRolePolicy",
        "iam:PutRolePolicy"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreatePolicy",
        "iam:DeletePolicy",
        "iam:GetPolicy"
      ],
      "Resource": "arn:aws:iam::*:policy/SlashID*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:ListTrails"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:PutBucketPolicy",
        "s3:PutEncryptionConfiguration",
        "s3:PutBucketLogging",
        "s3:GetBucketPolicy",
        "s3:GetBucketLocation",
        "s3:DeleteBucket",
        "s3:DeleteBucketPolicy",
        "s3:PutBucketNotification",
        "s3:PutBucketAcl"
      ],
      "Resource": [
        "arn:aws:s3:::slashid-*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudtrail:CreateTrail",
        "cloudtrail:UpdateTrail",
        "cloudtrail:DeleteTrail",
        "cloudtrail:StartLogging",
        "cloudtrail:StopLogging",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:PutEventSelectors",
        "cloudtrail:AddTags",
        "cloudtrail:RemoveTags",
        "cloudtrail:ListTags",
        "organizations:EnableAWSServiceAccess",
        "organizations:DisableAWSServiceAccess"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::slashid-*/*"
    },
    {
      "Effect": "Allow",
      "Action": "organizations:EnablePolicyType",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "events:PutRule",
        "events:PutTargets",
        "events:DescribeRule",
        "events:DeleteRule",
        "events:RemoveTargets"
      ],
      "Resource": "arn:aws:events:us-east-1:*:rule/SlashIDS3LogDelivery"
    },
    {
      "Effect": "Allow",
      "Action": [
        "lambda:DeleteFunction",
        "lambda:GetFunction",
        "lambda:AddPermission",
        "lambda:UpdateFunctionCode",
        "lambda:CreateFunction"
      ],
      "Resource": "arn:aws:lambda:us-east-1:*:function:*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:CreateRole",
        "iam:PutRolePolicy",
        "iam:AttachRolePolicy",
        "iam:DetachRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:DeletePolicy",
        "iam:DeleteRole",
        "iam:ListPolicyVersions",
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/slashid-*",
        "arn:aws:iam::*:role/SlashID*",
        "arn:aws:iam::*:policy/SlashID*",
        "arn:aws:iam::*:policy/slashid-*",
        "arn:aws:iam::*:role/AWSCloudFormationStackSet*",
        "arn:aws:iam::*:role/service-role/AWSCloudFormationStackSet*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:ListDelegatedAdministrators",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:DeregisterDelegatedAdministrator"
      ],
      "Resource": "*"
    }
  ]
}
  1. In your AWS Management Console > IAM > Users, create a new user:
  • Set permissions: Attach policies directly and select the policy created in step 1.
  1. Open the new user page. In the Security credentials tab, scroll down to Access keys and click on Create access key:
  • Access key best practices & alternatives: Third-party service
  • Retrieve access keys: copy and store the Access key and Secret access key which you will need in the next step.
  1. In the SlashID Console, paste the relevant attributes:
SlashID Console fieldDescription
Name of the connectionArbitrary name you give to this connection
Access key IDThe ID of the access key you created in step 3
Access key secretThe secret of the access key you created in step 3
Authoritative statusDecide whether AWS identities are the primary (or secondary) source of truth when reconciling identities across providers
Account IDYour AWS account ID
RegionThe region that the API calls target; for best performance, this should be the same region as the S3 bucket where historical log data is stored
Retrieve the entire organization?Choose whether to retrieve data for the whole AWS organization
CloudTrail S3 bucket name (Optional)If you wish to pull historical log data, specify the name of the S3 bucket where Cloudtrail logs are stored
Historical logs rangeSpecify how many days of historical data should be retrieved (defaults to 90 days, max 3650). This operation will take time.
Historical logs digest path prefixPrefix for the Cloudtrail logs digest objects within the CloudTrail S3 bucket where historical logs can be found (default is AWSLogs)