# Setup CDR for AWS manually ## Overview In this lab will we will be using the existing CloudTrail created from the [Setup DfAWS Cloud Formation Lab](../setup_dfaws_cloud_formation/setup_dfaws_cloud_formation.md) which must be done first. We will manually create a role and SNS topic. ## Notes - A max of 5 Trails can be setup per AWS region - The Trail should be enabled at the org level - The first Trail is free - Anywhere you see *initials* your initials should be used as the value ## Gather values for DfAWS Data Source When you run the Cloud Formation Template (CFT) for DfAWS you will need the bucket name and region. 1. To get this, go back to your **Trails** page in the AWS Management Console. 2. Make note of the **S3 bucket** name and click the **S3 bucket** name ![Bucket](./images/s3bucket.png) 3. Press the **Properties** ![Properties](./images/properties.png) 4. Make note of the **AWS Region** ![Region](./images/region.png) ## Delete original DfAWS Data Source 1. Logon to the [DfAWS instance](https://207753870716.uw2.portal.vectra.ai) with **SSO**.
Note: Do NOT use you static username and password. The SSO accounts have been given admin privileges within DfAWS.
![Logon](./images/logon.png) 2. On the left navigation bar choose **Data Sources**, then click the "Trash Bin" next to your originally created connection from the [Setup DfAWS Cloud Formation Lab](../setup_dfaws_cloud_formation/setup_dfaws_cloud_formation.md). ![Delete](./images/delete.png) ## Setup a new DfAWS Data Source Once the original is deleted we can create our new Data Source. 1. In the [DfAWS instance](https://207753870716.uw2.portal.vectra.ai), on the top right press **+ Create AWS Connection** ![Sources](./images/datasources.png) 2. Name the connection **gts2022-manual-*initials*** and click **Create & Continue** - **Make sure you are still logged into your personal AWS account** - **Create IAM Roles** - **Create roles manually** - **External ID** - Take Note of the External ID - **Vectra AWS Account ID** - Take Note of the Account ID

![Create](./images/dfawscreate.png)

## Create SNS Topic 1. In the AWS Management Console navigate to the **Simple Notification Service** page by typing **sns** in the search field. ![SNS](./images/sns.png) 2. Verify you are in same region as your S3 bucket ![Region](./images/setregion.png) 3. On the SNS page select **topics** on the left ![Topics](./images/topics.png) 4. On the Topics page click **Create topic** on the right. 5. Fill in the following values, and click **Create topic**: - **Type** - Standard - **Topic name** - gts-topic-*initials* - **Encryption** - Disabled - **Access Policy** - **Advanced** - Selected - Remove the sample policy and paste in the below JSON ```json { "Version": "2012-10-17", "Id": "SNSPolicyDocument", "Statement": [ { "Sid": "allowS3ToPublish", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "sns:Publish", "Resource": "*" } ] } ```

![Topic](./images/editjson.png)

6. Copy the SNS ARN to your notes ![SNSARN](./images/snsarn.png) ## Create AWS IAM Role 1. In the AWS Management Console navigate to the **IAM Roles** page by typing **roles** in the search field. 2. Select **Roles** under **IAM** ![Topic](./images/roles.png) 3. Time to create the AWS IAM role for Vectra, select **AWS Account** 4. Select **Another AWS account**, page fill in the following values, and click **Next**: - **AWS Account ID** - 580786928539 (Vectra AWS account ID) 5. Click **Create policy**, and choose the **JSON** tab - **Modify the below JSON policy to include your SNS ARN and S3 bucket ARN** ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:ListAccountAliases", "iam:ListUsers", "iam:ListRoles", "cloudtrail:GetTrail", "cloudtrail:ListTrails", "cloudtrail:GetTrailStatus", "cloudtrail:DescribeTrails", "sns:Unsubscribe" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:GetBucketNotification", "s3:ListBucket", "kms:*", "s3:PutBucketNotification" ], "Resource": [ "arn:aws:s3:::", "arn:aws:s3:::/*" ], "Effect": "Allow" }, { "Action": [ "sns:Subscribe" ], "Resource": "arn:aws:sns:::", "Effect": "Allow" } ] } ``` 6. Click **Next: Tags** > **Next: Review** 7. Give it a name **gts-policy-*initials**, and click **Create policy** 8. On the **Add permissions** page refresh, then select your new **gts-policy-*initials** policy. ![Select Policy](./images/selectpolicy.png) 9. Click **Next** 10. Name your new role **gts-vectra-role-*initials***, and click **Create role** at the bottom right 11. Once the new role is created click on **View role** ![ViewRole](./images/viewrole.png) 12. Copy the role ARN to your notes ![RoleARN](./images/rolearn.png) ## Completing the Deployment in the Vectra UI 1. Go back to the DfAWS page, and paste the saved information into the fields 2. Click **Authorize** ![CFT](./images/auth.png) 3. You should now see **Authorization in Progress** in the DfAWS console.
Note: This can take up to 10 minutes to complete.
4. If you followed the instructions correctly you will end up with an error "Setup failure".
Note: This is intended for troubleshooting purposes.
![CFT](./images/error.png) ## Validation Take a screenshot of the failed connection for verification ![Verify](./images/verifyfailed.png) ## Continue to Troubleshooting Lab Now go to [Troubleshooting Detect for AWS](../troubleshoot_dfaws_config/troubleshoot_dfaws_config.md) and identify what your issue is. Once the issue is resolved you will need to create a new connection to the data source.