How to configure an Amazon Security Lake integration in VMware Aria Automation for Secure Clouds
This integration sends findings from VMware Aria Automation for Secure Clouds to a designated S3 bucket under Amazon Security Lake. Findings can then be sent to any security information event management (SIEM) tool that ingests logs from Amazon Security Lake.
The recommended configuration is to have Amazon Security Lake automatically generate an IAM service role that is purpose-built for Security Lake operations with appropriate permissions, then edit the trust policy to set an external ID on the role as required by VMware Aria Automation for Secure Clouds.
As an alternate option, you can use an existing service role with necessary permissions as described in the AWS documentation.
Step one - Add VMware Aria Automation for Secure Clouds as a custom source in Amazon Security Lake
Log in to AWS and open the Security Lake console. Refer to the Amazon Security Lake documentation and follow the directions under the "Adding a custom source" section.
Enter the following information where prompted in the required fields:
- Data source name - A globally unique name of your choice. What you enter here must also be entered as your object prefix in step three.
- OCSF Event class - Enter "Security Finding".
- Account Id - This is the AWS account ID for the VMware Aria Automation for Secure Clouds service. You can find it in the trust relation for the IAM role you created when onboarding your AWS accounts, or contact customer service if you can't find it.
Once the required fields are filled out, select the option to create and use a new service role, then create the custom source.
Step two - Add the required external ID to the Security Lake IAM service role
Amazon Security Lake automatically provisions an S3 bucket with the necessary IAM roles to receive security findings from VMware Aria Automation for Secure Clouds after it's added as a custom source. However, you must add an external ID to the IAM service role for Security Lake and VMware Aria Automation for Secure Clouds to communicate.
From the AWS Management Console, select the IAM portal.
Select Roles in the sidebar.
Locate the service role for Security Lake. The name defined by the previous step is
AmazonSecurityLake-Provider-<data source name>-region.Select the role, then update the trust policy to add your organization ID in VMware Aria Automation for Secure Clouds as an external ID:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<PROD-ACCT>:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<organization-ID>" } } } ] }Note
Please contact VMware Aria Automation for Secure Clouds customer service to obtain the
<PROD-ACCT>value if you don't already have it.Once complete, copy the role ARN for use in the next step.
Step three - Create an S3 integration for Amazon Security Lake
With the Security Lake configuration in AWS completed, you next need to create the integration in the VMware Aria Automation for Secure Clouds browser client.
- Navigate to Settings > Integrations.
- Under Amazon S3, select Add New.
- Enter the name of your integration.
- For Data Format, select Parquet for Amazon Security Lake.
- For the Bucket Name field, enter the name of the S3 bucket provisioned by Amazon Security Lake.
- For the Object Prefix field, enter the data source name you chose in the previous section.
- Select Next.
- Select the Context at which others are able to view and edit this integration. If you're already creating this alert from the context of a specific project, it's set automatically.
- Select Next.
- Enter the ARN for the IAM role you modified in the previous section.
- Select Next.
- Select Test to verify a successful connection between the integration and your S3 bucket.
- After receiving a successful response, click Save.
Next, create an alert for your S3 integration to start sending findings data to a bucket.
