Connecting to an AWS asset data source

The AWS Connected Assets and Risk connector runs in the IBM Security QRadar® Suite Software cluster. The connector incrementally synchronizes the contents of the AWS asset databases with the data that is managed by the Connected Assets and Risk service.

Before you begin

Collaborate with an AWS administrator to set the permissions that are required for your user account. The following permissions are required for the AWS Connected Assets and Risk connector.

Client

ec2

describe_instances
describe_network_interfaces

securityhub

get_findings

cloudtrail

lookup_events

elasticbeanstalk

describe_applications
describe_environments

rds

describe_db_instances

elasticbeanstalk

list_clusters
describe_tasks
describe_container_instances

Resource

ec2

Image

If you have a firewall between your cluster and the data source target, use the IBM® Security Edge Gateway to host the containers. The Edge Gateway must be version 1.6 or later. For more information, see Setting up Edge Gateway.

About this task

The AWS Connected Assets and Risk connector imports data from the following services.

CloudTrail
Elastic Beanstalk
Elastic Compute Cloud (EC2)
Elastic Container Service (ECS)
Relational Database Service (RDS)
Security Hub

AWS users must have the appropriate roles and policies for the services that they want to import data from.

For more information about AWS services, see AWS documentation.

Procedure

Log in to IBM Security QRadar Suite Software.
From the menu, click Connections > Data sources.
On the Assets tab, click Connect an asset.
Click Amazon Web Services, then click Next.
Click Next.
Configure the connection to allow IBM Security QRadar Suite Software to connect to the data source.
1. In the Connector name field, assign a name to uniquely identify the data source connection.
  
  Tip: Only alphanumeric characters and the following special characters are allowed: - . _
2. In the Connector description field, write a description to indicate the purpose of the data source connection.
  
  Tip: Only alphanumeric characters and the following special characters are allowed: - . _
3. In the Edge gateway (optional) field, specify which IBM Security Edge Gateway to use.
  
  To use the Edge Gateway to host the containers that are required for communication between the data sources and IBM Security QRadar Suite Software, select an Edge Gateway. The Edge Gateway must be version 1.6 or later. It can take up to 5 minutes to establish the connection to the Edge Gateway.
  
  Important: If you have a firewall between your IBM Security QRadar Suite Software cluster and the data source target, use the Edge Gateway to host the containers.
  
  For more information, see Edge Gateway.
4. In the Frequency field, set how often the connector imports data from the data source, in minutes.
  The value must be an integer.
  For example, a value of 60 causes the connector to run every 60 minutes.
  If the data source doesn't have many assets, or you don't want to import data often, reduce the frequency.
5. In the Region field, enter the region of the AWS logs for the data source.

On the Connection configurations page, configure identity and access.

Click Add a configuration.

In the Configuration details window, configure the following parameters.

Table 1. Configuration parameters
Parameter	Description
Configuration Name	Enter a unique name to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: `- . _`
Configuration Description	Enter a unique description to describe the access configuration and distinguish it from the other access configurations for this data source connection that you might set up. Only alphanumeric characters and the following special characters are allowed: `- . _`
AWS access key ID	Establish AWS authentication to enable access to the AWS search API. To establish an AWS key-based authentication, enter values for the AWS Access key id and AWS secret access key parameters. To establish an AWS role-based authentication, enter values for the AWS Access key id and AWS secret access key.
AWS secret access key
Account ID	Enter the account ID of the AWS.

Important: You must establish AWS authentication to enable access to the AWS search API. For more information about AWS authentication, see Configuring AWS authentication.

Click Add.
To save your configuration and establish the connection, click Done.

To edit your configurations, complete the following steps:
1. On the Assets tab, select the data source connection that you want to edit.
2. In the Configurations section, click Edit Configuration ().
3. Edit the identity and access parameters and click Save.

Results

The connector imports data from the data source. The connector imports data again at the interval that you set in the Frequency field.

Tip: After the data source is connected, it takes some time for the initial data retrieval based on the frequency that is specified in the Frequency parameter. During this time, the data source appears as unavailable. After the data retrieval is complete, the data source shows as connected. To maintain the connection status, a polling mechanism is initiated to verify the connection periodically.

You can add other connection configurations for this data source that have different users and different data access permissions.

What to do next

Test the connection by searching for an IP address in IBM Security Data Explorer that matches an asset data source. In Data Explorer, click an IP address to view its associated assets and risk.

To use Data Explorer, you must have data sources that are connected so that the application can run queries and retrieve results across a unified set of data sources. The search results vary depending on the data that is contained in your configured data sources. For more information about how to build a query in Data Explorer, see Build a query.