Configuring Amazon AWS service to communicate with QRadar Cloud Visibility

You can configure Amazon AWS to communicate with QRadar® Cloud Visibility app by adding relevant log source types and log sources that you need QRadar Cloud Visibility to monitor.

Before you begin

You must have QRadar administrator privileges to configure the app.

Complete the initial configuration before you add the Amazon AWS service to the app. See Configuring cloud service providers to communicate with QRadar Cloud Visibility.

Important: If you have a firewall that prevents outbound connections to the internet, you must modify the firewall's configuration to allow QRadar Cloud Visibility to connect to the AWS endpoints. For more information, see Firewall URL requirements for Amazon AWS.

Procedure

  1. From the Admin tab, click Apps > Cloud Visibility > Configuration.
  2. Click the AWS tab and select the Enable Amazon AWS dashboard and other capabilities checkbox.
  3. If you need a proxy server to connect to your Amazon AWS account, configure the settings in the Proxy configuration section, and then click Validate.
  4. To set up resource access permissions for your AWS accounts, choose one of the following options:
    1. If you are configuring AWS for the first time to communicate with QRadar Cloud Visibility, click AWS resource access permissions wizard and define which AWS resources can be accessed by QRadar Cloud Visibility by selecting one of the following options in the wizard:
      • Use wizard to help set up your AWS accounts. The wizard doesn't update your AWS accounts directly. Depending on the option you choose, it either generates a script or provides detailed instructions.
      • Set AWS account credentials and integration options. Provide new AWS account credentials or policy to the app. Add individual or multiple Assume role policy ARNs to the account. Select the AWS partition and regions where your AWS resources are located. Specify AWS Security Hub and Amazon Detective integration settings. Validate your existing configuration.
    2. If you want to modify existing AWS access permissions, click AWS resource access permissions wizard and define which AWS resources can be accessed by QRadar Cloud Visibility by selecting one of the following options in the wizard:
      • Use wizard to modify my current AWS account setup. Modify your current setup by adding or removing trusting accounts or by changing the trusted account. Select the AWS partition and regions where your AWS resources are located. Configure integration settings with Amazon Detective and AWS Security Hub. Choose to complete the configuration through AWS CLI or AWS Management Console.
      • Modify AWS account credentials or integration options. Provide new AWS account credentials or policy to the app. Add individual or multiple Assume role policy ARNs to the account. Select the AWS partition and regions where your AWS resources are located. Specify AWS Security Hub and Amazon Detective integration settings. Validate your existing configuration.
  5. Configure the log source types and log sources for the service so that the offenses from the events that are picked up by the log sources appear in the Offense Overview charts.
    You can set up to a total of 100 log sources and log source types. You can remove any log source types or log sources from the configuration.
  6. To delete your IAM user information from the app database, click Delete in the Data Management section. The user information is deleted only from the app, not from AWS or QRadar.
  7. Click Set to save your changes.