Amazon Web Services (AWS)
This is a combined document for enabling the Amazon Web Services (AWS) Dropzone AI Data Source and Alert Source.
The Dropzone AI platform integrates with Amazon Web Services (AWS) APIs for ingesting alerts (AWS GuardDuty) and enriching investigations with data from AWS such as CloudWatch.
Dropzone creates a separate IAM role for each customer. This document describes how to enable the Dropzone role to access your AWS environment and configure the Dropzone platform.
Integration Overview
To enable these integrations you will perform the following actions:
Enable Cross-Account Access
Create an IAM role in your account(s)
Attach policies to the role
Enable the Dropzone Data Source
Enable the Dropzone Alert Source
The Dropzone platform has a dedicated IAM role for your organization. You enable cross-account access for this IAM to gain access to specific roles within your AWS accounts.
You must complete these steps for all AWS accounts you wish accessible by Dropzone.
Enable Cross-Account Access
You need to enable Dropzone to acces your AWS environments for it to pull alerts and run investigations. There are several ways you can achieve this:
Set up roles via the Management Console
Set up roles and create policies in the AWS Console. Several manual steps, highly documented
Use AWS CloudFormation
Set up roles by running Dropzone's CFTs and copy/pasting in a small number of values
Use Infrastructure-as-Code / CLI / etc
see your provider's information
The following policies are required for full Dropzone functionality:
AWSCloudTrail_ReadOnlyAccess
AmazonEC2ReadOnlyAccess
AmazonGuardDutyReadOnlyAccess
AmazonRoute53ReadOnlyAccess
AmazonS3OutpostsReadOnlyAccess
AmazonS3ReadOnlyAccess
AmazonSSMReadOnlyAccess
IAMReadOnlyAccess
Be sure to use one of the above options to enable the cross-account access before moving on to enabling the integrations.
Enable The Dropzone Data Source Integration
The Data source integration allows Dropzone AI to interact with AWS APIs, for example pulling CloudWatch information, enumerating EC2 instances, for use in investigation analysis and interactive chat.
You'll need the following information:
Default Region
The AWS region you run most of your services in
Role ARNs
The ARNs of the AWS roles you created in your accounts
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Data Sources" in the top left corner
find the AWS tile and click Connect
Enter an AWS region into the "Default Region" field
this should be the region that the majority of your monitored resources live in
In the "Role ARNs", click "Add Item"
Paste the first the role ARNs that you created earlier
Continue to "Add Item" and paste in ARNs until you've pasted them all
Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
Enable The Dropzone Alert Source Integration
The Alert source integration allows Dropzone AI to pull alerts from AWS GuardDuty for investigation.
You'll need the following information:
Default Region
The AWS region you run most of your services in
Role ARNs
The ARNs of the AWS roles you created in your accounts
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
In the upper left click on the "Alert Sources" button in the upper left do configure the AWS Alert Source integration
Click "Alert Sources" in the top left corner
Find the "AWS GuardDuty" tile and click Connect
Enter an AWS region into the "Default Region" field
this should be the region that the majority of your monitored resources live in
In the "Role ARNs", click "Add Item"
Paste the first the role ARNs that you created earlier
Continue to "Add Item" and paste in ARNs until you've pasted them all
Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
Last updated
Was this helpful?
