This document explains how to configure the AWS Verified Access v1.0.0 plugin with the Risk Exchange module of the Netskope Cloud Exchange platform. This plugin is used to fetch users from the log streams present inside a CloudWatch log group attached to a verified access instance. This plugin does not support performing actions on the users.

Prerequisites

• A Netskope tenant (or multiple, for example, production and development/test instances).
• A Netskope Cloud Exchange tenant with the Tenant plugin and Risk Exchange module already configured.
• Connectivity to your AWS Verified Access console.

CE Version Compatibility

Netskope CE v5.1.0

AWS Verified Access Plugin Support

The CRE AWS Verified Access plugin fetches users and their respective details from the log streams of log groups present in CloudWatch. This plugin does not support performing any actions.

Type of data pulled	Users
Actions Supported	No actions

Mappings

Mappings are used to view the pulled Users, and details. Mapped fields during plugin configuration will be visible on the Records page once the data is pulled. Here are the suggested mappings that should be used while configuring the plugin.

Pull Mapping for Users

Plugin Field Label	Expected Data Type	Suggested Field Label	Aggregate Strategy
Email Address	String	Email Address	Unique
Username	String	Username	Overwrite
UUID	String	UUID	Unique

Permissions

AWS Access Verified Cloudwatch permissions to the IAM user. Follow the steps mentioned in the Create an AWS CloudWatch policy section.

API Details

List of APIs Used

This plugin uses Python libraries to get logs from AWS Cloudwatch log groups attached to the AWS Verified Access Instance.

Library: The AWS SDK for Python (Boto3).

Usage: The AWS SDK for Python (Boto3) to create, configure, and manage AWS services, such as Amazon Simple Queue Service (Amazon SQS), Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Logs and Amazon Simple Storage Service (Amazon S3). The SDK provides an object-oriented API as well as low-level access to AWS services.

Creating Cloudwatch Log Client:

cloudwatch_logs = session.client(
                "logs",
                aws_access_key_id=self.aws_public_key,
                aws_secret_access_key=self.aws_private_key,
                aws_session_token=self.aws_session_token,
                region_name=self.configuration["region_name"].strip(),
                config=Config(proxies=self.proxy, user_agent=self.useragent),
            )

Describe Log Streams:

response = cloudwatch_logs.describe_log_streams(
                **describe_log_streams_params
            )

Getting Log Events:

response_events = cloudwatch_logs.get_log_events(
                            **params
                        )

Performance Matrix

Below is the performance matrix conducted on a Large CE Stack with below-mentioned specifications by pulling 10K users.

Stack Size	Large RAM: 32 GB Core: 16
Time taken to store the pulled and updated user records	~10 mins

User Agent

netskope-ce-5.1.0-cre-aws-verified-access-v1.0.0

Workflow

1. Configure an AWS Verified Access instance (if you don’t already have one).
2. Create CloudWatch Log Group.
3. Attach the log group with Verified Access instance.
4. Create an AWS Cloudwatch policy.
5. Configure the AWS Verified Access plugin.
6. Add a Risk Exchange Business Rule for AWS Verified Access.
7. Add SIEM Mappings for AWS Verified Access.
8. Validate the for AWS Verified Access plugin.

Click play to watch a video.

Configure a Verified Access Instance

Follow the steps mentioned in the link below to set up the required configurations for Verified Access.

https://catalog.workshops.aws/verifiedaccessworkshop/en-US/labs/lab1

Create CloudWatch Log Group

1. Log in to AWS Console.
2. Search for and click on CloudWatch.
   
3. Click Log groups.
   
4. Click Create log group.
   
5. Enter the name of the log group, and click Save.
   
6. Search for the created log group.
   

Attach the Log Group with the Verified Access Instance

1. Log in to AWS Console.
2. Search for Verified Access and click on AWS Verified Access.
   
3. Click Verified Access instance ID.
   
4. Click Verified Access Instance logging configuration.
   
5. Click Modify Verified Access instance logging configuration.
   
6. Select the log group in the Log group dropdown. Click Modify configuration. The Log Group is ready to use.
   

Create an AWS CloudWatch Policy

1. Search for IAM in the search box, and in the left panel, click Policies.
   
2. Click Create Policy.
   
3. Click on the JSON tab, enter this policy, and then click Next.
   

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "logs:*"
               ],
               "Resource": [
                   "arn:aws:logs:*:*:*"
               ]
           }
       ]
   }

4. Enter a Name and click Create Policy.
   
   
5. Attach this policy to the user. Go to IAM > Users. Select the user for which you want to attach a policy, click Add permissions, and select the Add permissions option.
6. Select Attach policies directly under the Permissions options, and then search for and select the policy created in the previous step for the source queue.
7. Click Next and then click Add permissions. The policy will be attached to the user.
   
   

IAM Role Anywhere Authentication

Prerequisites

The AWS Certificate Manager service is required to be enabled to authenticate the plugin using the AWS IAM Roles Anywhere Authentication Method.

Note to sure you create the Private Certificate Authority, Trust Anchor and Profile in the same region in which your Verified Access instance and CloudWatch Log Group resides.

Create a Policy

This Policy contains the required permissions for creating Private CA Certificate (including Permissions for creating Trust Anchor and Profile) and using the IAM Roles Anywhere.

1. Go to Policy Generator and select IAM Policy as policy type, enter Add Statement details, and generate a policy.
   • Select Type of Policy: IAM Policy
   • Effect: Allow
   • AWS Service: AWS Private Certificate Authority
   • Actions:
     • CreateCertificateAuthority
     • DescribeCertificateAuthority
     • GetCertificate
     • GetCertificateAuthorityCertificate
     • GetCertificateAuthorityCsr
     • ImportCertificateAuthorityCertificate
     • IssueCertificate
     • ListCertificateAuthorities
   • ARN: *
2. Click Add Statement.
   

   

3. Scroll back up to add another statement.
   • Select Type of Policy: IAM Policy
   • Effect: Allow
   • AWS Service: AWS Identity and Access Management (IAM)
   • Actions:
     • AttachRolePolicy
     • CreateAccessKey
     • CreateRole
     • DeleteRole
     • PassRole
   • ARN: *
4. Click Add Statement.
   

   

5. Scroll back up to add another statement.
   • Select Type of Policy: IAM Policy
   • Effect: Allow
   • AWS Service: AWS Certificate Manager
   • Actions:
     • DescribeCertificate
     • ExportCertificate
     • GetCertificate
     • ListCertificates
     • ListTagsForCertificate
     • RequestCertificate
   • ARN: *
6. Click Add Statement.
   

   

7. Scroll back up to add another statement.
   • Select Type of Policy: IAM Policy
   • Effect: Allow
   • AWS Service: AWS Identity and Access Management Roles Anywhere
   • Actions:
     • CreateProfile
     • CreateTrustAnchor
     • GetProfile
     • GetTrustAnchor
     • ListProfiles
     • ListTrustAnchors
   • ARN: *
8. Click Add Statement.
   

   

9. Click Generate Policy.
   

   

10. Copy the Policy as it will be used in the next step for creating the policy required for creating the Private CA certificates.
11. Go to AWS Console and select IAM from All Services. Click Policies in the left panel, and then click Create Policy.
    

    

12. Copy the policy to the JSON tab, click Next:Tags, and then click Next:Review
    .

    

13. Enter a name (like netskope-ce-rolesAnywhere-policy) and click Save Changes.
    

    

Create a Private Certificate Authority

1. Log in to AWS Console.
2. Search for Certificate Manager.
   

   

3. Click AWS Private CA.
4. Click Create a private CA.
   

   

5. For Mode Options, select General-purpose.
6. For CA type options, select Root.
   

   

7. Enter the Organization (O).
   

   

8. For Key algorithm options, select RSA 2048.
   

   

   

9. Add tags if any (optional).
10. Check the checkbox in the CA permissions options section.
11. Check the checkbox in the Pricing section.
12. Click Create to create the CA certificate.
    

    

    

13. From Actions, select Install CA Certificate.
    

    

14. Click Confirm and Install.
    

    

    

Create a Trust Anchor

1. Search for the IAM service, go to Roles under Access management scroll down to Roles Anywhere and select Manage.
   

   

2. Click Create a Trust anchor.
   

   

3. Enter a Trust anchor name, like netskope-ce-aws-verified-trust-anchor.
   
4. Select AWS Certificate Manager Private CA (created in the previous steps) as a Certificate authority (CA) source. Select the Certificate that was created in the previous step in AWS Private Certificate Authority.
   
5. Add tags if required.
6. Click Create a trust anchor.
   
   

   

7. Click on the created Trust Anchor and copy the Trust Anchor ARN.
   

   

Create an IAM Role

1. Go to IAM services in the AWS Console.
2. Click Role in the Access Management submenu.
3. Click Create Role.
   

   

4. In the Trusted entity type, select Custom Trust Policy.
   

   

5. Replace the Custom trust Policy with this Trust Policy. This policy contains the permissions for using the roles anywhere service:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Service": [
                       "rolesanywhere.amazonaws.com"
                   ]
               },
               "Action": [
                   "sts:AssumeRole",
                   "sts:TagSession",
                   "sts:SetSourceIdentity"
               ]
           }
       ]
   }

   

6. Click Next.
7. In the Permissions policies, select the policy created in Create an AWS CloudWatch Log Policy.
   
8. Click Next.
9. Provide a Role name (like netskope-ce-aws-verified-access-role) and Description for the role.
   
10. Click Create role. Search for the created role and click on the Role Name. 
    
11. Make a note of the Role ARN as this will be required in the Plugin configuration parameter Role ARN for the authentication method AWS IAM Roles Anywhere.
    

Create a Profile

1. Select Roles under Access management.
2. Scroll down to Roles Anywhere and click Manage.
   

   

3. Expand the Setup steps.
4. Click Step 2: Configure roles.
5. Click Configure a profile.
   

   

6. Enter a Profile name, like netskope-ce-aws-verified-access-profile.
   
7. Select the role created in Create IAM Role.
   
8. Remove the Inline Policy.
   
9. Click Create a profile.
   

   

   

10. Select the created Profile and copy the Profile ARN.
    

Request a Private Certificate

1. Go to AWS Certificate Manager > Request certificate.
2. Select Request a private certificate.
   

   

3. Click Next.
4. Select the Certificate authority created in the previous step.
   

   

5. Provide a domain name in the Fully qualified domain name field, like netskope-ce-verified-access.com.
6. Select RSA 2048 as the Key algorithm.
   
7. Add tags if required.
8. Acknowledge the Certificate renewal permissions.
9. Click Request.
   

   

10. Go to List certificates from the navigation pane of AWS Certificate Manager.
11. Select the certificate created previously.
    
12. Click Export.
    
13. Enter a passphrase. Make a note of the passphrase as it will be required for the Configuration of the AWS Security Lake Plugin using the AWS IAM Roles Anywhere Authentication method.
14. Click Generate PEM Encoding.
    
15. Download all the Certificates as it won’t be visible again. For new certificates, you will need to Export them again.
    

The Certificate body, Certificate Private Key will be required for the Configuration of the AWS Verified Access Plugin using the AWS IAM Roles Anywhere authentication method. For more info, go to AWS IAM Role Anywhere.

AWS Authentication

Create a Role

1. Go to IAM services in the AWS Console.
2. Click Create role.
   

   

3. Select the AWS Service.
4. Under Use case, select EC2.
5. Click Next.
   

   

6. Select the permission policy created in Create an AWS Cloudwatch policy.
   
7. Click Next.
8. Enter a Role Name (like aws-verified-access-instance-role) and Description.
9. Click Create Role.
   
   

Assign a Role to an EC2 Instance

1. Log in to your EC2 instance console.
2. Click Instances under Instances.
   

   

   

3. Go to Action > Security > Modify IAM Role.
   

   

4. Select the Role that you created above in Create a Role. (netskope-ce-instance-role).
5. Click Add IAM Role or Modify IAM Role. Note that both EC2 instance and Queue should be on the same region.
   

Assign a Role to a K8s Instance

1. Open your Role created for ServiceAccount while creating K8s instance.
2. Attach the policy created in Create an AWS Cloudwatch Policy.

Configure the AWS Verified Access Plugin

1. In Cloud Exchange, go to Settings > Plugins. Search for and select the AWS Verified Access v1.0.0 (CRE) plugin box.
   
2. Enter a Configuration Name, and modify the Sync Interval is needed.
   
3. Click Next. Select “Deployed on AWS” if an instance is deployed on AWS.
   
4. Enter the Configuration Parameters:
   • Authentication Method: Select the method to be used for authentication (Deployed on AWS/AWS IAM Roles Anywhere)
   • Private Key: Private Key for decrypting the AWS Private CA Certificate. Required for AWS IAM Roles Anywhere authentication type.
   • Certificate Body: Certificate Body for AWS Public/Private CA Certificate. Required for AWS IAM Roles Anywhere authentication type.
   • Password Phrase: Password Phrase for decrypting the CA Certificate. Required for AWS IAM Roles Anywhere authentication type.
   • Profile ARN: AWS Profile ARN for AWS client authentication. Required for AWS IAM Roles Anywhere authentication type.
   • Role ARN: AWS Role ARN for AWS client authentication. Required for AWS IAM Roles Anywhere authentication type.
   • Trust Anchor ARN: AWS Trust Anchor ARN for AWS client authentication. Required for AWS IAM Roles Anywhere authentication type.
   • Region Name: Region in which Verified Access service is running. Make sure that the region name matches the region in the Profile ARN and Trust Anchor ARN.
   • CloudWatch Log Group Name: The log group name to fetch the user details from Verified Access logs. To get the log group name go to CloudWatch > Log Groups.
   • Initial Range (in days): Number of days to sync the data. In every plugin run data from the provided days will be synced.

   Notes

   • Only Initial Range, CloudWatch Log Group Name, region is mandatory when “Deployed on AWS” is selected in “Authentication method”.
   • If a user wants to configure a plugin in other than an AWS instance then need to generate the configuration parameters by the steps mentioned in the IAM Role Anywhere Configuration section.

   

5. Click Next. Select the Entity from the Entity dropdown. The Entity fields can be created from the Schema editor page, or using the + Add Field option from the field dropdown. Provide the field mappings. For the suggested mapping, refer to the Mappings section.
   
6. Click Save. Your new plugin appears on the Risk Exchange Plugin page.
   

Add a Risk Exchange Business Rule for AWS Verified Access

1. In Risk Exchange, go to Business Rules.
2. Click Create New Rule.
3. Enter a Rule Name, and select the Entity in which fields were mapped while configuring the plugin, and then provide filters as needed. 
   
4. Click Save.
   

Add Risk Exchange Actions for AWS Verified Access

The AWS Verified Access plugin supports the following action type:

No Action

This action does not perform any action on the users, but can generate alerts in Ticket Orchestrator if the Generate Alerts toggle button is enabled.

NOTE: Refer to the Netskope guide in order to configure Netskope related actions for the user records pulled from AWS Verified Access CloudWatch log group. To configure the other actions supported by Netskope, refer to the Risk Exchange plugins guide.

To configure this action:

1. In Risk Exchange, go to Actions and click Add Action Configuration.
2. Select your Business Rule, plugin Configuration, and select No action in Actions dropdown. Turn on the Require Approval toggle if approval is required before performing the Generate Alert action. Click Save.
3. Manual Sync the action if users are already present in Records. To Validate the generated alerts go to Ticket Orchestrator Module > Alerts.
   
4. Click Save.
   

Validate the AWS Verified Access Plugin

Validate on Cloud Exchange

To validate the pulling of users from the Log group.

1. Go to the Logging in Cloud Exchange. Search for the plugin logs.
   
2. In Risk Exchange, go to Records, and select the Entity that was selected while configuring the AWS Verified Access plugin to view the pulled users.
   

Data is pulled from the log streams present inside a CloudWatch log group attached with a verified access instance. Go to CloudWatch > Log groups > awsverifiedaccesslogs. Log Streams will be available; the users available in these log streams will be pulled.

Troubleshooting the AWS Verified Access Plugin

Unable to configure the CRE AWS Verified Access plugin.

If you are unable to configure the AWS Verified Access plugin, it could be due to one of these reasons:

• For the authentication method IAM role anywhere, Certificate and other configuration parameters may not be present in the same region.
• For the authentication method IAM role anywhere, any steps are missing while creating Role ARN, Trust anchor ARN, Profile ARN.
• If the Netskope CE is deployed on AWS using the Deployed on AWS authentication method, the proper role is not attached to the EC2 instance.
• There are invalid values provided to the configuration parameters.
• IAM permissions are not provided to the user on the AWS platform.

To solve these issues, follow these steps:

1. Make sure that the certificate and other configuration parameters are created in the same region.
2. Make sure to follow the steps IAM Role Anywhere Configuration to not miss any step.
3. Make sure to follow the Role Assign section to assign a proper role to the EC2 instance.
4. Make sure valid values are provided in the configuration parameters. Go to the Logging page and verify the log message.
5. Provide the IAM permissions to the user for which configuration parameters were created.

Unable to pull/view users from the CRE AWS Verified Access

If you are unable to pull users from AWS Verified Access, then it could be due one of these reasons:

• Users are not present in the log group.
• Proper policy is not attached to the role or EC2 instance.
• Logs are not generated in the log group.
• Users are pulled but in Records the users are displayed in a row with comma-separated values.

To solve these issues, follow these steps:

1. In the AWS console, go to CloudWatch > Log groups. Select the log group provided in plugin configuration. Verify if any users exist there.
2. Attach the policy properly by following the Create an AWS CloudWatch policy and Create IAM Role steps.
3. Verify the created Verified access setup and attachment to the log group. To verify the attachment follow the Attach the log group with the Verified Access instance steps.
4. Make sure that the fields created in an entity are marked as unique.

Limitation

Users can be fetched from a single log group at a time, because from AWS only one log group can be attached to the Verified Access instance. You can update the name of the log group if you need to pull users from another log group, or configure a new plugin with a different log group name.