Skip to main content

The AWS sensor (Control Tower setup)

The AWS sensor collects and processes information about configuration changes and actions taken by users, roles, or AWS services.

You can integrate two types of AWS environments with GravityZone XDR:

This section guides you through the process of integrating your AWS Control Tower–governed environment with XDR.

Overview

The integration process includes multiple sub-procedures:

Prerequisites

Before integrating your AWS Control Tower-managed environment with GravityZone XDR, ensure:

  • You have access to both the Management account and the Log Archive account within your AWS Organization.

  • You have the required IAM permissions to create and manage AWS resources.

    Note

    The AdministratorAccess policy is recommended.

  • Both the Management account and the Log Archive account belong to the same Control Tower landing zone and are configured in the same AWS region as that landing zone.

Downloading templates from GravityZone Control Center

To download the required CloudFormation templates from GravityZone Control Center, follow these steps:

  1. Log in to GravityZone Control Center.

  2. Go to the Configuration > Sensors Management page from the left side menu.

  3. Click Add new.

  4. Select the company where you want to deploy the sensor.

  5. Click Next.

  6. Locate the AWS card and click Integrate.

    The integration wizard is displayed.

  7. At the Check requirements step, select the following URLs to download the configuration files:

    • management account template

    • log archive account template

    • response actions template (optional, to be able to take response actions)

    The files will automatically download or open in new tabs, depending on your browser settings.

Tip

Remain logged in GravityZone Control Center, as you will need to return to it in a future phase of the setup.

Gathering required information from the Control Tower console

The following information must be retrieved from the AWS Control Tower console:

  • the Management account ID

  • the Log Archive account ID

  • the ID of the organizational unit containing the Log Archive account

  • the Amazon S3 bucket name

Follow these steps to gather it:

  1. Sign in to the AWS Management Console with the Management account of your AWS Organization.

  2. In the search bar at the top of the console, type Control Tower.

  3. From the results list, select the Control Tower service.

    You will be redirected to the AWS Control Tower console.

  4. In the left-side menu, select Organization.

    You will be redirected to the Organization page in AWS Control Tower. For details about this page, refer to Govern organizations and accounts with AWS Control Tower.

  5. Locate and note the following information for future reference:

    • the Management account ID

    • the Log Archive account ID

    • the ID of the organizational unit containing the Log Archive account

  6. From the navigation pane on the left, select Landing zone settings to open the corresponding page in the Control Tower console.

  7. Open the Configurations tab.

  8. In the AWS CloudTrail configuration section, locate the Amazon S3 bucket field and note its value for later use.

Creating a CloudFormation stack with the Management account template

To create a stack in the CloudFormation console using the Management account template you downloaded earlier from GravityZone Control Center, follow these steps:

  1. In the search bar at the top of the AWS Control Tower console, type CloudFormation.

  2. From the results list, select the CloudFormation service.

    You will be redirected to the AWS CloudFormation console.

  3. Follow the steps in the Create a stack from the CloudFormation console page to create a stack, considering the specifications below:

    • On the navigation bar at the top of the CloudFormation console, select the AWS Region where your AWS Control Tower landing zone is deployed.

    • After clicking Create stack, select With new resources (standard).

    • On the Create stack page, select Choose an existing template, and then Upload a template file.

    • After clicking Choose File, browse your local computer, select the bitdefender-gz-xdr-aws-control-tower-management-account.yaml file you downloaded earlier, and then click Open.

    • On the Specify stack details page, in the Parameters section, enter the values for the Log Archive account ID and bucket name that you noted earlier. We recommend keeping the rest of the fields at their default values.

    • On the Configure stack options page, select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox from the Capabilities section. We recommend leaving the rest of the settings as default.

  4. Once redirected to the Events tab for your new stack, wait until the status changes to CREATE_COMPLETE.

Creating an IAM access key

To create an access key to allow the AWS sensor to securely connect to your AWS environment, follow these steps:

  1. In the left-side menu of the CloudFormation console, select Exports to navigate to the Exports page.

  2. Securely save the export values of the GravityZoneXDRSQSQueueURL and GravityZoneXDRSQSQueueARN exports, as they will be required later.

  3. Click the export value of the GravityZoneXDRServiceUserURL export.

    You will be redirected to the IAM Choose your AWS session page.

  4. Select the ID of your Management account.

    You will be redirected to the IAM Create access key > Access key best practices & alternatives page.

  5. Select Third-party service.

  6. Select the confirmation checkbox.

  7. Click Next.

    You will be redirected to the Set description tag - optional page.

  8. Click Create access key.

  9. From the Retrieve access keys page, securely save both the access key and secret access key, as you will need them later.

Note

To learn more about managing IAM access keys, refer to the How IAM users can manage their own access keys documentation page.

Creating a CloudFormation StackSet with the Log Archive account template

To create a StackSet in the CloudFormation console using the Log Archive account template you downloaded earlier from GravityZone Control Center, follow these steps:

  1. In the search bar at the top of the AWS IAM console, type CloudFormation.

  2. From the results list, select the CloudFormation service.

    You will be redirected to the AWS CloudFormation console.

  3. Follow the steps in the Create a StackSet with service-managed permissions (console) topic to create a StackSet, considering the specifications below:

    • On the navigation bar at the top of the CloudFormation console, select the AWS Region where your AWS Control Tower landing zone is deployed.

    • On the Choose a template page, under the Specify template section:

      1. Select Upload a template file.

      2. Click Choose File.

      3. Browse your local computer, select the bitdefender-gz-xdr-aws-control-tower-log-archive-account.yaml file you downloaded earlier, and then click Open.

    • On the Specify StackSet details page, in the Parameters section, enter the values for the Log Archive bucket name and the Management account ID that you noted earlier.

      Warning

      If you customized the LogArchiveReadRoleName and ServiceIAMUserName values when creating the stack with the Management account template, make sure to use the same values now during StackSet creation to keep them consistent. If you did not, we recommend keeping the default values.

    • On the Configure StackSet options page, select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox from the Capabilities section. We recommend leaving the rest of the settings as default.

    • On the Set deployment options page, under Deployment targets:

      1. Select Deploy to organizational units (OUs).

      2. Type the ID of the organizational unit containing the Log Archive account you recorded earlier in the AWS OU ID field.

      3. Select the Intersection account filter type.

      4. In the Account numbers text box, enter the Log Archive account ID you noted earlier.

    • On the Set deployment options page, under Specify Regions, select the region where your AWS Control Tower landing zone is deployed.

    • On the Set deployment options page, under the Auto-deployment options and Deployment options sections, retain the default configurations.

  4. Once redirected to the Operations tab for your new StackSet, wait until the status changes to SUCCEEDED.

Enabling Amazon SQS notifications for the Log Archive account bucket

To enable notifications for the Log Archive account bucket, follow these steps:

  1. Sign in to the AWS Management Console with the Log Archive account of your AWS Organization.

  2. In the search bar at the top of the console, type S3.

  3. From the results list, select the S3 service.

    You will be redirected to the Amazon S3 console.

  4. Follow the steps on the Enabling Amazon SNS, Amazon SQS, or Lambda notifications using the Amazon S3 console page, considering the specifications below:

    • From the General purpose buckets tab, select the Amazon S3 bucket you noted earlier.

    • In the General configuration section of the Create event notification page, specify a name for your event notification. Do not modify any other fields.

    • In the Event types section of the Create event notification page, select All object create events.

    • In the Destination section of the same page:

      1. Select SQS queue and Enter SQS queue ARN.

      2. In the SQS queue textbox, enter the previously saved export value of the GravityZoneXDRSQSQueueARN export.

(Optional) Creating a CloudFormation stack with the response actions template

To create a stack in the CloudFormation console using the response actions template you downloaded earlier from GravityZone Control Center, follow these steps:

  1. Sign in to the AWS Management Console with the Management account of your AWS Organization.

  2. In the search bar at the top of the AWS console, type CloudFormation.

  3. From the results list, select the CloudFormation service.

    You will be redirected to the AWS CloudFormation console.

  4. Follow the steps in the Create a stack from the CloudFormation console page to create a stack, considering the specifications below:

    • On the navigation bar at the top of the CloudFormation console, select the AWS Region where your AWS Control Tower landing zone is deployed.

    • After clicking Create stack, select With new resources (standard).

    • On the Create stack page, select Choose an existing template, and then Upload a template file.

    • After clicking Choose File, browse your local computer, select the bitdefender-gz-xdr-aws-control-tower-response-actions.yaml file you downloaded earlier, and then click Open.

    • On the Specify stack details page, in the Parameters section, enter the same ServiceIAMUserName you used when creating the stack with the Management account template. If you didn’t customize this value earlier, you can safely keep the default one.

    • On the Configure stack options page, select the I acknowledge that AWS CloudFormation might create IAM resources with custom names checkbox from the Capabilities section. We recommend leaving the rest of the settings as default.

  5. Once redirected to the Events tab for your new stack, wait until the status changes to CREATE_COMPLETE.

Sensor setup in GravityZone Control Center

Back to GravityZone Control Center on the Check requirements page, follow these steps to complete the sensor setup:

  1. Click Next.

  2. On the Sensor details page, name the integration.

  3. Enter the access key and secret access key that you saved earlier.

  4. In the SQS link field, enter the previously saved value of the GravityZoneXDRSQSQueueURL export.

  5. Click Test connectivity.

    A confirmation message will be displayed indicating that the integration has been successfully added to your sensor list.

  6. Click Done.

The new integration will be available in the Sensors Management table.

In this section: