Get Started

Welcome to the DataDefender portal! Assuming you are already logged in to the DataDefender solution, all you need to get started is to link AWS accounts for us to ingest.

Linked Accounts Page

Linking Accounts

To get started, you will deploy our CloudFormation stack into the first AWS account which you would like to us to ingest data from, confirm the stack creation in DataDefender, and we'll begin ingesting data. You can link as many AWS accounts as you would like using the following method.

Linking an Account is a 4 step process. This page will detail how to complete each step.

  • Initiate Deployment from DataDefender

  • Configure and deploy CloudFormation stack from AWS

  • Link the stack to DataDefender

  • Confirm Deployment

1. Initiate Deployment from DataDefender

In order to do this, navigate to Linked Accounts and click the button.

You will see the following form:

Linked Accounts Menu

  1. Name your CloudFormation Stack.

  2. Indicate the region your stack should reside in.

  3. The next four settings determine whether our app will have access to and try to retrieve data for the S3 Inventory, EBS Inventory, File Systems, and Security Checks feature sets. If you select any of these settings, DataDefender will provision the necessary permissions required to gather information for these feature sets.

  4. Decide whether to enable the Activity Monitoring CloudTrail Feature Set. DataDefender uses this information in its Monitoring and File Access Report features. The form requires an existing CloudTrail Trail and the S3 Bucket ARN of where the Trail is logging into. Place that ARN into the form. Please refer to the Configuration CloudTrail Log Bucket section for more details.

  5. Decide whether to enable the Activity Monitoring S3 Server Access Logs Feature Set. DataDefender uses this feature in its Monitoring and File Access Report features. The form requires Server Access Logging enabled. We accept one S3 Bucket as input so ensure all buckets are pointing to one logging bucket. Place the ARN of that bucket into the form. Please refer to the Configuring Server Access Log Bucket section for more details.

2. Configure and deploy CloudFormation stack in AWS

Select 'Launch CloudFormation'. It will bring you to an AWS Login where you will need to sign in to the account where you wish to deploy our stack.

Once signed in, you'll be brought to CloudFormation's 'Quick create stack' menu.

CSS CloudFormation Stack

Linked Account Stack Parameters

Currently, we have 13 parameters that you can configure to deploy our stack. Most settings are already created from the form from the previous step. Here is each parameter and its function:

Parameter
Function
Example Values

Stack Name

What your stack will be named

my-stack

ActivityMonitoringCloudTrailQueueName

Optional; name to give the created Activity Monitoring SQS queue.

datadefender-activity-monitoring-ct

ActivityMonitoringCloudTrailS3BucketArn

The ARN of the S3 bucket that CloudTrail events are logged to.

arn:aws:s3:::example

ActivityMonitoringS3ServerAccessLogsBucketArn

The ARN of the S3 bucket that S3 server access logs are logged to.

arn:aws:s3:::example

ActivityMonitoringS3ServerAccessLogsQueueName

Optional; name to give the created Activity Monitoring S3 Server Access Logs SQS queue.

datadefender-activity-monitoring-sal

ConnectionManagementType

Whether the connection is self-managed or is a manager of other connections.

Self, Managed

EnableActivityMonitoringCloudTrailFeatureSet

Pick Yes if you would like to enable the activity monitoring feature set for a CloudTrail event source.

Yes, No

EnableActivityMonitoringS3ServerAccessLogsFeatureSet

Pick Yes if you would like to enable the activity monitoring feature set for a S3 Server Access Logs event source.

Yes, No

EnableEBSInventoryFeatureSet

Pick Yes if you would like to enable the EBS Inventory feature set.

Yes, No

EnableFileSystemsInventoryFeatureSet

Pick Yes if you would like to enable the File Systems Inventory feature set.

Yes, No

EnableS3InventoryFeatureSet

Pick Yes if you would like to enable the S3 Inventory feature set.

Yes, No

EnableSecurityChecksFeatureSet

Pick Yes if you would like to enable the security checks feature set.

Yes, No

IamRoleNameSuffix

Optional; suffix to include in the created IAM role. May be required if there are IAM role name conflicts.

CloudStorageSec

IdentityProviderUrl

The URL of the Cloud Storage Security identity provider to verify the identity when assuming the role. Do not include https:// in the URL. This does not have to be modified.

auth.datadefender.io/realms/datadefender

After you are satisfied with your parameters, select 'I acknowledge that AWS CloudFormation might create IAM resources with custom names.' and deploy the stack.

3. Link the Stack to DataDefender

After the stack finishes deploying, open the Outputs tab. You should see three outputs.

  • For all deployments, copy the ARN of the Cross-Account IAM Role.

  • If you also enabled Activity Monitoring – S3 Server Access Logs and Activity Monitoring – CloudTrail Feature Set, copy the values of the respective queues as well.

Cross-Account Role ARN

Now, return to the DataDefender portal and complete the following steps:

  1. Click Continue to go to Step 2: Activate Account.

  2. Leave the CloudFormation stack name and region as they appear (these are the stack name and region used in the previous deployment).

  3. Paste the Cross-Account IAM Role ARN into the AWS Role ARN field.

  4. In Connection Management, you can choose between:

    • Self-Managed: An account that operates independently, with all configurations managed directly.

    • Manager: A management account that can discover and connect to child accounts within its organization.

  5. Enter the AWS Account ID where you deployed the stack.

  6. (Optional) Enter an Account Nickname.

Click

If you enabled Activity Monitoring with CloudTrail or S3 Access Logging, complete Step 3: Configure Activity Monitoring. (Otherwise, disable and skip this step.)

  • Paste the CloudTrail Queue value from the Outputs into the CloudTrail queue name field, and select the region where the queue resides.

  • Paste the S3 Access Logging Queue value from the Outputs into the S3 queue name field, and select the region where the queue resides.

Click

4. Confirm Deployment

Your stack should now be linked. Verify in the 'Linked Accounts' section for the green check symbol under 'Credential Status' alongside your alias.

Deployment Confirmation

Using the Product

Now that you have data flowing into your account, you are free to start using DataDefender! For explanations of the DataDefender Portal, head on over to the Portal Overview page.

PreviousSubscribing to DataDefenderNextPortal Overview

Last updated