Amazon Web Services
Amazon Web Services (AWS) is a cloud platform that provides on-demand computing resources and services. Cygna Auditor for AWS collects and audits activity from AWS CloudTrail, giving you visibility into user actions, API calls, and configuration changes across your AWS organization.
Before You Begin
Before configuring Cygna Auditor, complete the following steps in the AWS Management Console to create a dedicated IAM user and access key.
Step 1: Identify your CloudTrail and S3 bucket
- Log in to the Amazon AWS portal.
-
In the CloudTrail section, select an organization trail. The trail must show Multi-region trail: Yes and Apply trail to my organization: Enabled for all accounts in the General details section. If either condition is not met, Cygna Auditor will not receive events for all users in all regions.
- Click the Trail Log location link.
- On the Trail Log bucket page, locate the bucket name in the breadcrumb path.
- Click the bucket name link.
- Select Properties.
- In the Bucket overview section, copy the Amazon Resource Name (ARN). You will need this value when creating the IAM policy.
Step 2: Create an IAM user and policy
- Log in as your primary account and navigate to the IAM section.
- Click Add users.
- Enter a username for the new account. We suggest cygnaauditor.
- Click Next and select Attach policies directly.
- Click Create policy.
-
Click JSON and paste the following policy into the editor, replacing CLOUD_TRAIL_BUCKET_ARN with the ARN you copied in step 7 above:
Copy{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "CLOUD_TRAIL_BUCKET_ARN"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObjectAcl",
"s3:GetObject"
],
"Resource": "CLOUD_TRAIL_BUCKET_ARN/*"
},
{
"Effect": "Allow",
"Action": [
"cloudtrail:ListTrails",
"cloudtrail:GetTrail",
"cloudtrail:LookupEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "organizations:ListAccounts",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DescribeRegions",
"Resource": "*"
}
]
}This policy grants the following access:
- List all known users in the instance, so that Cygna Auditor can replace user ID values with user names.
- Access the specified CloudTrail S3 bucket and the files it contains.
- List all known CloudTrails, enabling easy selection from the Cygna Auditor interface.
- List all accessible AWS regions, allowing you to configure collection for specific regions.
- Click Next: Tags, then Next: Review.
- Enter a name for the policy. We suggest CygnaAuditor.
- Click Create policy and close the policy editor tab.
- On the permissions page, click Refresh, locate the CygnaAuditor policy, select its checkbox, and click Next.
- Review the user details and click Create user.
Step 3: Create an access key
- Click the username of the new user, then select the Security credentials tab.
- Scroll to the Access keys section and click Create access key.
- Select Application running outside AWS and click Next.
- Enter a description tag. We suggest CygnaAuditor.
- Click Create access key.
- Copy both the Access key and Secret access key values. Both are required to configure the collector in Cygna Auditor.
- Click Done.
Start Collecting Data
- Click
to add a new Amazon Web Services configuration.
-
Complete the auditing configuration:
OPTION
DESCRIPTION
The General step
Enable this collector Select the toggle to turn on data collection. You can disable data polling at any time without deleting a collector. Name Add a name to distinguish this AWS collector from others. This name is used internally in Cygna Auditor. Description (Optional) Add any further details about the current configuration. The Connection step
Access key Enter the Access key value generated for the IAM user in the AWS setup procedure. Secret access key Enter the Secret access key value generated for the IAM user in the AWS setup procedure. Region Select a region for the IAM user. This selection does not limit data collection — it only identifies a region where the user can connect. Verify connectivity Click to confirm that Cygna Auditor can reach AWS using the provided access key and region before proceeding. The Collection step
Initial collection period Enter the number of days before today from which data will be collected during the first collection run. We recommend 3. CloudTrail Click the magnifying glass icon to display the list of CloudTrail objects accessible to the IAM user, then select the organization trail identified during the AWS setup procedure. Verify Trail Access Click to confirm that the IAM user has the required permissions to read from the selected CloudTrail. The Collection Schedule step
Add a new schedule Click to configure a new collection schedule. You can create multiple schedules if needed. Enable scheduled job Switch the toggle to "On" to activate the schedule. Name Specify a name for the schedule. Frequency Cygna Auditor provides multiple options: one-time, minutes, hours, days, Monday-Friday, weekly, bi-weekly, monthly, quarterly, annually. Select how often to perform data collection depending on your auditing needs. Start date Choose when to start collecting data: immediately or specify a date and time. End date Specify an end date for the collection schedule if necessary, or set to "Never". The Summary step
Summary Review the collector configuration details before saving. Click Save to complete the configuration.