Integrate with AWS

Important Notice: Update Required

Starting October-12-2020 the base set of permissions required to run Bridgecrew for AWS has been updated; see the list of actions below.

How To Update the Bridgecrew-AWS Integration

  1. Press Update on the pop-up notification (or go directly to AWS Read-Only under Integrations).
    The AWS Read-Only page opens.
  1. On the AWS Read-Only page, press Update.

Updated Permissions

ecr:GetLifecyclePolicy
lambda:Get*
s3:ListBucket
sns:GetSubscriptionAttributes
dynamodb:ListTagsOfResource
sns:ListTagsForResource
es:ListTags

These added permissions are prerequisites to enable Bridgecrew custom policies and other advanced features.


Overview of Bridgecrew-AWS Integration

Bridgecrew integrates with AWS natively, using CloudFormation as a standardized mechanism to deploy all required configurations.

Getting Started

  • AWS Read Access: allows Bridgecrew to perform read-only API calls. These calls enable basic configuration scanning and evaluation.
  • AWS Remediation Stack: this optional add-on allows you to remediate policy violations by modifying the configuration of your cloud environment.
  • AWS CloudTrail (Deprecated): allows Bridgecrew to pull CloudTrail log data and perform read-only API calls. CloudTrail log data enables more fine-grained misconfiguration detection. If integrating with CloudTrail, there is no need to integrate Read Access - it is included in the CloudTrail stack.

The diagram below illustrates the Bridgecrew - AWS Remediation Stack flow. Note that Bridgecrew never has direct write access into your account.

📘

Note

For full Bridgecrew functionality, we recommend using the integration options for AWS Cloudtrail and AWS Remediation Stack. Note that utilizing all the benefits of your AWS CloudTrail integration requires enrollment in the Enterprise plan.

Resources that will be created

You can use the CloudFormation change set or terraform plan output to view a list of the resources that will be created prior to actually creating them.

The AWS read only integration creates the following resources:

  • IAM role with AWS managed SecurityAudit policy
  • An SNS notification message to notify Bridgecrew of the integration

The CloudTrail integration creates the resources above, as well as:

  • A multi-region trail (only if create new trail is selected) and supporting resources: S3 bucket, KMS key, SNS topic, SQS queue for Bridgecrew to read events

The remediation integration creates the following resources:

  • SQS queue
  • Lambda function
  • IAM lambda service role
  • SSM parameter for Bridgecrew token

How to Integrate Bridgecrew with AWS

After signing up, click the AWS icon on the top left corner. Click Launch Stack to run the AWS Read-Access CloudFormation Stack.

Please Note: Deployment of the stack is only supported in the following regions:

  • US East (N. Virginia) us-east-1
  • US East (Ohio) us-east-2
  • US West (N. California) us-west-1
  • US West (Oregon) us-west-2
  • Europe (Ireland) eu-west-1

For additional Bridgecrew-AWS integration options, visit the Integrations tab.

  1. Select an option from the menu (AWS Cloudtrail, AWS Remediation Stack, AWS Read Access).
  2. Press Add Account.
    You will be prompted to create a CloudFormation template. The form is already populated with Bridgecrew connection details.
  3. Select the checkbox next to "I acknowledge..." to permit creation of IAM resources.
  4. Press Create Stack.

Create Stack Page for Remediation Stack

📘

Note

The CloudFormation template for AWS Remediation Stack can be reviewed here.

Create Stack Page for AWS Read Only

Create Stack Page for AWS CloudTrail

You can have us create a new trail for you, or you can have us read from an existing trail.

To create a new trail, select yes for create new trail?, and leave the existing trail setup options blank.

To use an existing trail, an SNS topic must be configured. Perform the following steps to set up an SNS topic, if the trail is not already using one.

  1. Create an SNS topic.
  2. Update the topic's access policy to include the following statement:
{
  "Sid": "cloudtrail",
  "Effect": "Allow",
  "Principal": {
    "Service": "cloudtrail.amazonaws.com"
  },
  "Action": "SNS:Publish",
  "Resource": "<SNS TOPIC ARN>"
}
  1. Update the trail to publish to the topic:

aws cloudtrail update-trail --name <TRAIL NAME> --sns-topic-name <TOPIC NAME>

Then, enter the trail S3 bucket and the new SNS topic ARN in the CloudFormation parameters.

📘

Notes

  1. If you do not set up AWS Remediation Stack, you will be prompted to do so the first time you attempt to Remediate a violation via Playbook; see Step 4: Investigate Incidents.

  2. From time to time, you may be prompted to redeploy the CloudFormation stack to provide additional roles required for performing to perform remediation.

Updated 2 months ago


Integrate with AWS


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.