Linked Accounts

Link accounts to ingest data.

Linked Accounts Page

Linking Accounts

To get started, you will deploy our CloudFormation stack into the first AWS account which you would like to us to ingest data from, confirm the stack creation in DataDefender, and we'll begin ingesting data. You can link as many AWS accounts as you would like using the following method.

Linking an Account is a 4 step process. This page will detail how to complete each step.

  • Initiate Deployment from DataDefender

  • Configure and deploy CloudFormation stack from AWS

  • Link the stack to DataDefender

  • Confirm Deployment

1. Initiate Deployment from DataDefender

In order to do this, navigate to Linked Accounts and click the button.

In the next page, fill out the following:

  1. Name your CloudFormation Stack.

  2. Indicate the region your stack should reside in.

  3. The next four settings determine whether our app will have access to and try to retrieve data for the S3 Inventory, EBS Inventory, File Systems, and Security Checks feature sets. If you select any of these settings, DataDefender will provision the necessary permissions required to gather information for these feature sets.

  4. Decide whether to enable the Activity Monitoring CloudTrail Feature Set. DataDefender uses this information in its Monitoring and File Access Report features. The form requires an existing CloudTrail Trail and the S3 Bucket ARN of where the Trail is logging into. Place that ARN into the form. Please refer to the Configuration CloudTrail Log Bucket section for more details.

  5. Decide whether to enable the Activity Monitoring S3 Server Access Logs Feature Set. DataDefender uses this feature in its Monitoring and File Access Report features. The form requires Server Access Logging enabled. We accept one S3 Bucket as input so ensure all buckets are pointing to one logging bucket. Place the ARN of that bucket into the form. Please refer to the Configuring Server Access Log Bucket section for more details.

Linked Accounts Page

2. Configure and deploy CloudFormation stack in AWS

Select 'Launch CloudFormation'. It will bring you to an AWS Login where you will need to sign in to the account where you wish to deploy our stack.

Once signed in, you'll be brought to CloudFormation's 'Quick create stack' menu.

Linked Stack Parameters

Linked Account Stack Parameters

Currently, we have 13 parameters that you can configure to deploy our stack. Most settings are already created from the form from the previous step. Here is each parameter and its function:

Parameter
Function
Example Values

Stack Name

What your stack will be named

my-stack

ActivityMonitoringCloudTrailQueueName

Optional; name to give the created Activity Monitoring SQS queue.

datadefender-activity-monitoring-ct

ActivityMonitoringCloudTrailS3BucketArn

The ARN of the S3 bucket that CloudTrail events are logged to.

arn:aws:s3:::example

ActivityMonitoringS3ServerAccessLogsBucketArn

The ARN of the S3 bucket that S3 server access logs are logged to.

arn:aws:s3:::example

ActivityMonitoringS3ServerAccessLogsQueueName

Optional; name to give the created Activity Monitoring S3 Server Access Logs SQS queue.

datadefender-activity-monitoring-sal

ConnectionManagementType

Whether the connection is self-managed or is a manager of other connections.

Self, Managed

EnableActivityMonitoringCloudTrailFeatureSet

Pick Yes if you would like to enable the activity monitoring feature set for a CloudTrail event source.

Yes, No

EnableActivityMonitoringS3ServerAccessLogsFeatureSet

Pick Yes if you would like to enable the activity monitoring feature set for a S3 Server Access Logs event source.

Yes, No

EnableEBSInventoryFeatureSet

Pick Yes if you would like to enable the EBS Inventory feature set.

Yes, No

EnableFileSystemsInventoryFeatureSet

Pick Yes if you would like to enable the File Systems Inventory feature set.

Yes, No

EnableS3InventoryFeatureSet

Pick Yes if you would like to enable the S3 Inventory feature set.

Yes, No

EnableSecurityChecksFeatureSet

Pick Yes if you would like to enable the security checks feature set.

Yes, No

IamRoleNameSuffix

Optional; suffix to include in the created IAM role. May be required if there are IAM role name conflicts.

CloudStorageSec

IdentityProviderUrl

The URL of the Cloud Storage Security identity provider to verify the identity when assuming the role. Do not include https:// in the URL. This does not have to be modified.

auth.datadefender.io/realms/datadefender

After you are satisfied with your parameters, select 'I acknowledge that AWS CloudFormation might create IAM resources with custom names.' and deploy the stack.

3. Link the Stack to DataDefender

After the stack finishes deploying, open the Outputs tab. You should see three outputs.

  • For all deployments, copy the ARN of the Cross-Account IAM Role.

  • If you also enabled Activity Monitoring – S3 Server Access Logs and Activity Monitoring – CloudTrail Feature Set, copy the values of the respective queues as well.

Cross-Account Role ARN

Now, return to the DataDefender portal and complete the following steps:

  1. Click Continue to go to Step 2: Activate Account.

  2. Leave the CloudFormation stack name and region as they appear (these are the stack name and region used in the previous deployment).

  3. Paste the Cross-Account IAM Role ARN into the AWS Role ARN field.

  4. In Connection Management, you can choose between:

    • Self-Managed: An account that operates independently, with all configurations managed directly.

    • Manager: A management account that can discover and connect to child accounts within its organization.

  5. Enter the AWS Account ID where you deployed the stack.

  6. (Optional) Enter an Account Nickname.

Click

If you enabled Activity Monitoring with CloudTrail or S3 Access Logging, complete Step 3: Configure Activity Monitoring. (Otherwise, disable and skip this step.)

  • Paste the CloudTrail Queue value from the Outputs into the CloudTrail queue name field, and select the region where the queue resides.

  • Paste the S3 Access Logging Queue value from the Outputs into the S3 queue name field, and select the region where the queue resides.

Click

4. Confirm Deployment

Your stack should now be linked. Verify in the 'Linked Accounts' section for the green check symbol under 'Credential Status' alongside your alias.

Deployment Confirmation

Configuring Log Buckets

In order for DataDefender to ingest logs for its Monitoring and File Access Report features, you'll have to point it to buckets which store the logs. Here's how to configure both of them.

Configuring CloudTrail Log Bucket

  1. In AWS, navigate to CloudTrail.

  2. Click 'Create Trail' in the 'Trails' section.

CloudTrail Trails > Create Trail

  1. In your Trail Attributes:

    1. Set a trail name and decide whether to create a new S3 bucket to use an existing S3 bucket.

    2. Decide whether to use SSE-KMS. If enabled, set a new or existing KMS key.

    3. Decide whether to use Log File Validation. Read more from AWS' documentation here.

    4. Decide whether to enable SNS notification delivery. SNS will notify you every time a new log enters your Trail bucket, and you will have to configure a topic to notify through.

    5. Decide whether to funnel logs to CloudWatch Logs.

    6. Add Optional Tags.

    7. Click Next.

  2. In your Log Events:

    1. Select Management Events and Data Events.

    2. In Management Events, leave the activity as Read and Write.

    3. In Data Events, choose Resource type as S3.

    4. Click Next.

    CloudTrail Log Events Configuration

  3. In the Review and Create page:

    1. Verify all information looks correct.

    2. Click 'Create trail'.

After the Trail has been created, navigate to S3 and find the bucket where your Trail is logging to. Copy the bucket ARN, and place that into your 'Activity Monitoring CloudTrail Log Bucket ARN' section.

DataDefender CloudTrail Log Bucket ARN

Configuring Server Access Log Bucket

There may be multiple buckets you want to monitor access on. For each of those buckets, enable Server Access Logging and point to the same S3 bucket. Here's how to do it through the AWS Console.

As a prerequisite, create an S3 bucket where you want all your server access logs to go to.

For each bucket you want DataDefender to access:

  1. Navigate to that S3 bucket

  2. Click 'Properties' and navigate to 'Server access logging'. Click 'Edit'.

Edit Server Access Logging

  1. Toggle 'Server access logging' to 'Enable' and specify the aformentioned S3 server access logs bucket.

  2. Decide the Log object key format.

  3. Select 'Save changes'.

Navigate back to S3 and find the bucket where your Server access logs are pointed to. Copy the bucket ARN, and place that into your 'Activity Monitoring S3 Server Access Log Bucket ARN' section.

DataDefender Server Access Log Bucket ARN
PreviousFile SystemsNextUsers

Last updated