Configure Alert Logic AWS Cross-account Role Access

Alert Logic supports Amazon Web Services (AWS) cross-account roles. The Deployments page in the Alert Logic console allows you to create deployments for your AWS accounts. On this page, you can edit an AWS deployment name, add and edit AWS credentials to provide us with cross-account access to those accounts, and delete deployments.

Before you begin

Before Alert Logic can manage the protection of your AWS accounts, you must:

  • Log into your AWS account to create a cross-account role to allow Alert Logic to access your AWS accounts.
  • Log into the Alert Logic console to configure credentials for each discovered AWS deployment.
  • Determine whether you want to configure cross-account for centralized CloudTrail log collection. For more information about centralized log collection, see Should you centralize CloudTrail log collection?
Use of centralized CloudTrail log collection affects how you configure cross-account access for your deployment. You should make this decision prior to configuration of your deployment.

About AWS cross-account roles

Cross-account roles to allow Alert Logic to access your AWS account. AWS role creation requires that you provide an AWS policy, a document that specifies the permissions assigned to the AWS role you create for Alert Logic to access to your AWS account.

When you create a role to provide Alert Logic cross-account access to your AWS accounts, you provide better protection for those accounts with:

  • Improved agent lifecycle management
  • Optimized appliance deployments
  • Auto detection of new assets and changed configurations

To set up or edit cross-account access, click an AWS deployment tile on the Deployments page, and then provide your AWS role ARN and the External ID.

When you set up your AWS cross-account role, you can choose from two levels of permissions:

The full permission policy document does not allow Alert Logic to:

  • Retrieve secret keys or credentials from IAM
  • Retrieve data from data stores other than S3
  • Perform these actions from any other AWS account
  • Grant access to the protected account to any other AWS account or user
  • Modify IAM credentials or policies.
If you create a deployment with one level of permissions, and then want to switch to another level of permissions, you can create another IAM role with the appropriate level of permissions (if you do not already have that role configured). Then, click edit on the deployment tile to change your deployment configuration to use the appropriate role.

Update your IAM roles

Periodically, Alert Logic updates the policy documents used for the IAM roles required for AWS deployments. These updates, which Alert Logic announces in Alert Logic Console Release Notes, ensure you can successfully create deployments, and they ensure your existing deployments continue to monitor your AWS assets.

Before you update your IAM roles, download and open appropriate policy document below. Keep the document open so you can copy and paste the information during IAM role creation.

To update an IAM role:

  1. In the AWS Console, click IAM, located under Security, Identity & Compliance.
  2. From the IAM Management Console, click Roles.
  3. From the list of your roles, click the role you want to update.
  4. Click the policy you want to update.
  5. Click Edit policy.
  6. Click the JSON tab.
  7. Copy the contents of the updated policy document.
  8. Paste the updated policy document into the JSON window to replace the old information.
  9. Click Review policy.
  10. Click Save changes.

Perform this procedure for every IAM role you need to update.

Should you centralize CloudTrail log collection?

AWS allows you to use a separate, dedicated account with CloudTrail enabled to centralize your CloudTrail log collection, which requires a second IAM role to allow Alert Logic to access the AWS receiving account that collects CloudTrail data.

If you provide cross-account access to the AWS receiving account for centralized log collection, you get near-real-time updates about your assets. Without this cross-account access, the Alert Logic console refreshes information about your assets every 12 hours.

Full permission deployment

Alert Logic recommends full permission deployment, which requires the use of the recommended policy available within the Alert Logic console. This set of permissions allows Alert Logic to discover your AWS environment and automate the setup of the required AWS services.

To use full permission deployment, you must grant Alert Logic permissions to make changes to your environment (enable/modify AWS CloudTrail settings, create an Amazon SQS queue and an Amazon SNS topic, modify permissions).

Full permission deployment allows you to set up CloudTrail in either the AWS account you want protected by Alert Logic, or in a separate account in which CloudTrail is configured for centralized log collection.

Minimal permission deployment

Minimal permission deployment employs the most limited privileges that still allow Alert Logic to work properly in AWS. Minimal permission deployment requires that you perform additional manual steps, such as the setup of AWS CloudTrail and Amazon S3 log file collection.

Minimal permission deployment allows you to set up CloudTrail in either the AWS account you want protected by Alert Logic, or in a separate account with an S3 bucket to which CloudTrail is configured for centralized log collection.