search
Ctrlk

Linked Accounts

Link accounts to ingest data.

hashtag
Linking Accounts

To get started, you will deploy our CloudFormation stack into the first AWS account which you would like to us to ingest data from, confirm the stack creation in DataDefender, and we'll begin ingesting data. You can link as many AWS accounts as you would like using the following method.

Linking an Account is a 4 step process. This page will detail how to complete each step.

  • Initiate Deployment from DataDefender

  • Configure and deploy CloudFormation stack from AWS

  • Link the stack to DataDefender

  • Confirm Deployment

hashtag
1. Initiate Deployment from DataDefender

In order to do this, navigate to Linked Accounts and click the button.

In the next page, fill out the following:

  1. Name your CloudFormation Stack.

  2. Indicate the region your stack should reside in.

  3. The next four settings determine whether our app will have access to and try to retrieve data for the S3 Inventory, EBS Inventory, File Systems, and Security Checks feature sets. If you select any of these settings, DataDefender will provision the necessary permissions required to gather information for these feature sets.

  4. Decide whether to enable the Activity Monitoring CloudTrail Feature Set. DataDefender uses this information in its Monitoring and File Access Report features. The form requires an existing CloudTrail Trail and the S3 Bucket ARN of where the Trail is logging into. Place that ARN into the form. Please refer to the Configuration CloudTrail Log Bucket section for more details.

  5. Decide whether to enable the Activity Monitoring S3 Server Access Logs Feature Set. DataDefender uses this feature in its Monitoring and File Access Report features. The form requires Server Access Logging enabled. We accept one S3 Bucket as input so ensure all buckets are pointing to one logging bucket. Place the ARN of that bucket into the form. Please refer to the Configuring Server Access Log Bucket section for more details.

hashtag
1. Initiate Deployment from DataDefender

In order to do this, navigate to Settings > Linked Accounts and click the "Link New Account" button.

The following form will assist in linking an AWS Account.

hashtag
Account Details

  • Enter the Account ID of your AWS account.

    1. To find your account id, sign in to the AWS Management Console, click your account name in the top-right corner. Your 12-digit Account ID will display within this dropdown.

  • Optionally, add an Account Name.

    1. We recommend you add the friendly name of your account, but this can be whatever you would like that will help you identify this account later.

    2. This name can be changed at any time if you’d like.

hashtag
Inventory Selection

  • Select the AWS Services that you would like us to collect and protect.

    1. Selecting a service will ensure the required permissions are deployed by the CloudFormation stack for us to retrieve its data. These permissions can be modified at any time.

    2. Selecting 'Security Checks' allows us to run configuration checks against your account to identify misconfigurations and compare your account against data security best practices.

hashtag
File Scanning

  • File Scanning allows DataDefender to scan and classify your data to find sensitive files. DataDefender will be granted ECS deployment permissions into select regions. Data scanned will never leave the region where it resides in.

hashtag
Activity Monitoring

  • Activity Monitoring allows DataDefender to ingest CloudTrail and/or S3 Server Access Logs. For each type of activity monitor (CloudTrail, S3 Server Access Logs) we require one S3 bucket already set up with logs directed into them for the Application to ingest logs. DataDefender uses this information in its Monitoring and File Access Report features. Please refer to the Configuring CloudTrail Log Bucket and Configuring Server Access Log Bucket sections for more details.

  • Copy the full S3 bucket ARN for your desired log repository buckets and paste into the appropriate field.

hashtag
2. Configure and deploy CloudFormation stack in AWS

Select 'Launch CloudFormation'. It will bring you to an AWS Login where you will need to sign in to the account where you wish to deploy our stack.

Once signed in, you'll be brought to CloudFormation's 'Quick create stack' menu.

Linked Stack Parameters

Linked Account Stack Parameters

Currently, we have 13 parameters that you can configure to deploy our stack. Most settings are already created from the form from the previous step. Here is each parameter and its function:

Parameter
Function
Example Values

Stack Name

What your stack will be named

my-stack

ActivityMonitoringCloudTrailQueueName

Optional; name to give the created Activity Monitoring SQS queue.

datadefender-activity-monitoring-ct

ActivityMonitoringCloudTrailS3BucketArn

The ARN of the S3 bucket that CloudTrail events are logged to.

arn:aws:s3:::example

ActivityMonitoringS3ServerAccessLogsBucketArn

The ARN of the S3 bucket that S3 server access logs are logged to.

arn:aws:s3:::example

ActivityMonitoringS3ServerAccessLogsQueueName

Optional; name to give the created Activity Monitoring S3 Server Access Logs SQS queue.

datadefender-activity-monitoring-sal

ConnectionManagementType

Whether the connection is self-managed or is a manager of other connections.

Self, Managed

EnableActivityMonitoringCloudTrailFeatureSet

Pick Yes if you would like to enable the activity monitoring feature set for a CloudTrail event source.

Yes, No

EnableActivityMonitoringS3ServerAccessLogsFeatureSet

Pick Yes if you would like to enable the activity monitoring feature set for a S3 Server Access Logs event source.

Yes, No

EnableEBSInventoryFeatureSet

Pick Yes if you would like to enable the EBS Inventory feature set.

Yes, No

EnableFileSystemsInventoryFeatureSet

Pick Yes if you would like to enable the File Systems Inventory feature set.

Yes, No

EnableS3InventoryFeatureSet

Pick Yes if you would like to enable the S3 Inventory feature set.

Yes, No

EnableSecurityChecksFeatureSet

Pick Yes if you would like to enable the security checks feature set.

Yes, No

IamRoleNameSuffix

Optional; suffix to include in the created IAM role. May be required if there are IAM role name conflicts.

CloudStorageSec

IdentityProviderUrl

The URL of the Cloud Storage Security identity provider to verify the identity when assuming the role. Do not include https:// in the URL. This does not have to be modified.

auth.datadefender.io/realms/datadefender

After you are satisfied with your parameters, select 'I acknowledge that AWS CloudFormation might create IAM resources with custom names.' and deploy the stack.

hashtag
3. Set up Event Notification

circle-info

This section only applies if you are using the Server Access Logs or CloudTrail functionality.

hashtag
Event Notification

For each type of bucket you've set up (Server Access Logs bucket, CloudTrail bucket):

Go to the S3 Bucket that the SQS Queue corresponds to and navigate to Properties. Under 'Event Notifications', click 'Create Event Notification'.

In the settings:

  1. Set an Event name of your choosing.

  2. Ensure that 'All object create events' are checked.

  3. Set destination as SQS queue, and specify the corresponding SQS queue that was created.

  4. Select 'Save changes'.

hashtag
4. Link the Stack to DataDefender

Go to the deployed CloudFormation stack and open the Outputs tab. You should see three outputs if you are using both the Activity Monitoring and Server Access Logs features. Otherwise, you'll just see one output.

  • For all deployments, copy the ARN of the Cross-Account IAM Role.

  • If you also enabled Activity Monitoring – S3 Server Access Logs and Activity Monitoring – CloudTrail Feature Set, copy the values of the respective queues as well.

Cross-Account Role ARN

Now, return to the DataDefender portal and complete the following steps:

  1. Leave the CloudFormation stack name and region as they appear (these are the stack name and region used in the previous deployment).

  2. Paste the Cross-Account IAM Role ARN into the AWS Role ARN field.

hashtag
Optional: Activity Monitoring

If you enabled Activity Monitoring with CloudTrail or S3 Access Logging, complete Configure Activity Monitoring. (Otherwise, disable both CloudTrail and S3 Server Access Logs checkboxes and skip this step.)

  • Paste the CloudTrail Queue value from the Outputs into the CloudTrail queue name field, and select the region where the queue resides.

  • Paste the S3 Access Logging Queue value from the Outputs into the S3 queue name field, and select the region where the queue resides.

Click 'Complete Setup' to finalize your account linkage.

hashtag
5. Confirm Deployment

Your stack should now be linked. Verify in the 'Linked Accounts' section for the green check symbol under 'Credential Status' alongside your alias.

hashtag
Configuring Log Buckets for Activity Monitoring (Optional)

In order for DataDefender to ingest logs for its Monitoring and File Access Report features, you'll have to point it to buckets which store the logs. Here's how to configure both of them.

hashtag
Configuring CloudTrail Log Bucket

  1. In AWS, navigate to CloudTrail.

  2. Click 'Create Trail' in the 'Trails' section.

CloudTrail Trails > Create Trail

  1. In your Trail Attributes:

    1. Set a trail name and decide whether to create a new S3 bucket to use an existing S3 bucket.

    2. Decide whether to use SSE-KMS. If enabled, set a new or existing KMS key.

    3. Decide whether to use Log File Validation. Read more from AWS' documentation herearrow-up-right.

    4. Decide whether to enable SNS notification delivery. SNS will notify you every time a new log enters your Trail bucket, and you will have to configure a topic to notify through.

    5. Decide whether to funnel logs to CloudWatch Logs.

    6. Add Optional Tags.

    7. Click Next.

  2. In your Log Events:

    1. Select Management Events and Data Events.

    2. In Management Events, leave the activity as Read and Write.

    3. In Data Events, choose Resource type as S3.

    4. Click Next.

    CloudTrail Log Events Configuration

  3. In the Review and Create page:

    1. Verify all information looks correct.

    2. Click 'Create trail'.

After the Trail has been created, navigate to S3 and find the bucket where your Trail is logging to. Copy the bucket ARN, and place that into your 'Activity Monitoring CloudTrail Log Bucket ARN' section. Refer to Optional: Activity Monitoring for next steps.

hashtag
Configuring Server Access Log Bucket

There may be multiple buckets you want to monitor access on. For each of those buckets, enable Server Access Logging and point to the same S3 bucket. Here's how to do it through the AWS Console.

circle-info

As a prerequisite, create an S3 bucket where you want all your server access logs to go to.

For each bucket you want DataDefender to access:

  1. Navigate to that S3 bucket

  2. Click 'Properties' and navigate to 'Server access logging'. Click 'Edit'.

Edit Server Access Logging

  1. Toggle 'Server access logging' to 'Enable' and specify the aformentioned S3 server access logs bucket.

  2. Decide the Log object key format.

  3. Select 'Save changes'.

Navigate back to S3 and find the bucket where your Server access logs are pointed to. Copy the bucket ARN, and place that into your 'Activity Monitoring S3 Server Access Log Bucket ARN' section. Refer to Optional: Activity Monitoring for next steps.

PreviousChild OrganizationsNextContact Us & Support

Last updated