Firewall URL requirements for Amazon AWS
If your IBM® QRadar® Console is behind a restricted firewall, you must allow traffic to specific Amazon AWS URLs so that you can use the full features of IBM QRadar Cloud Visibility.
During configuration, QRadar Cloud Visibility tries to connect to only the iam.amazonaws.com and sts.amazonaws.com endpoints. After the IAM configuration is completed, then QRadar Cloud Visibility tries to connect to the other service endpoints.
Minimum service endpoints to allow through your firewall
- iam.amazonaws.com
- sts.amazonaws.com
- s3.amazonaws.com
- cloudtrail.{region}.amazonaws.com
- ec2.{region}.amazonaws.com
- sns.{region}.amazonaws.com
- sqs.{region}.amazonaws.com
- logs.{region}.amazonaws.com
- securityhub.{region}.amazonaws.com
- ap-northeast-1
- ap-northeast-2
- ap-northeast-3
- ap-south-1
- ap-southeast-1
- ap-southeast-2
- ca-central-1
- eu-central-1
- eu-north-1
- eu-west-1
- eu-west-2
- eu-west-3
- sa-east-1
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- cloudtrail.us-east-1.amazonaws.com
- cloudtrail.us-east-2.amazonaws.com
- cloudtrail.us-west-1.amazonaws.com
- cloudtrail.us-west-2.amazonaws.com
AWS endpoints mapped to capabilities
The following table maps the AWS service names and endpoints with the capabilities in QRadar Cloud Visibility.
AWS Service Name | Service Endpoints | Capabilities |
---|---|---|
AWS Identity and Access Management | iam.amazonaws.com | Authentication for all AWS services listed in this table. AWS resource access permissions wizard IAM Best Practices |
AWS Security Token Service | sts.amazonaws.com |
For assuming roles across multiple AWS accounts (authentication for all AWS services listed in this table) AWS resource access permissions wizard |
AWS CloudTrail |
cloudtrail.us-east-2.amazonaws.com cloudtrail.us-east-1.amazonaws.com cloudtrail.us-west-1.amazonaws.com cloudtrail.us-west-2.amazonaws.com cloudtrail.ap-east-1.amazonaws.com cloudtrail.ap-south-1.amazonaws.com cloudtrail.ap-northeast-3.amazonaws.com cloudtrail.ap-northeast-2.amazonaws.com cloudtrail.ap-southeast-1.amazonaws.com cloudtrail.ap-southeast-2.amazonaws.com cloudtrail.ap-northeast-1.amazonaws.com cloudtrail.ca-central-1.amazonaws.com cloudtrail.eu-central-1.amazonaws.com cloudtrail.eu-west-1.amazonaws.com cloudtrail.eu-west-2.amazonaws.com cloudtrail.eu-west-3.amazonaws.com cloudtrail.eu-north-1.amazonaws.com cloudtrail.me-south-1.amazonaws.com cloudtrail.sa-east-1.amazonaws.com |
|
Amazon Simple Storage Service | s3.amazonaws.com |
|
Amazon Simple Notification Service | sns.us-east-2.amazonaws.com sns.us-east-1.amazonaws.com sns.us-west-1.amazonaws.com sns.us-west-2.amazonaws.com sns.ap-east-1.amazonaws.com sns.ap-south-1.amazonaws.com sns.ap-northeast-3.amazonaws.com sns.ap-northeast-2.amazonaws.com sns.ap-southeast-1.amazonaws.com sns.ap-southeast-2.amazonaws.com sns.ap-northeast-1.amazonaws.com sns.ca-central-1.amazonaws.com sns.eu-central-1.amazonaws.com sns.eu-west-1.amazonaws.com sns.eu-west-2.amazonaws.com sns.eu-west-3.amazonaws.com sns.eu-north-1.amazonaws.com sns.me-south-1.amazonaws.com sns.sa-east-1.amazonaws.com |
|
Amazon CloudWatch Logs | logs.us-east-2.amazonaws.com logs.us-east-1.amazonaws.com logs.us-west-1.amazonaws.com logs.us-west-2.amazonaws.com logs.ap-east-1.amazonaws.com logs.ap-south-1.amazonaws.com logs.ap-northeast-3.amazonaws.com logs.ap-northeast-2.amazonaws.com logs.ap-southeast-1.amazonaws.com logs.ap-southeast-2.amazonaws.com logs.ap-northeast-1.amazonaws.com logs.ca-central-1.amazonaws.com logs.eu-central-1.amazonaws.com logs.eu-west-1.amazonaws.com logs.eu-west-2.amazonaws.com logs.eu-west-3.amazonaws.com logs.eu-north-1.amazonaws.com logs.me-south-1.amazonaws.com logs.sa-east-1.amazonaws.com |
|
Amazon Elastic Compute Cloud Amazon Virtual Private Cloud |
ec2.us-east-2.amazonaws.com ec2.us-east-1.amazonaws.com ec2.us-west-1.amazonaws.com ec2.us-west-2.amazonaws.com ec2.ap-east-1.amazonaws.com ec2.ap-south-1.amazonaws.com ec2.ap-northeast-3.amazonaws.com ec2.ap-northeast-2.amazonaws.com ec2.ap-southeast-1.amazonaws.com ec2.ap-southeast-2.amazonaws.com ec2.ap-northeast-1.amazonaws.com ec2.ca-central-1.amazonaws.com ec2.eu-central-1.amazonaws.com ec2.eu-west-1.amazonaws.com ec2.eu-west-2.amazonaws.com ec2.eu-west-3.amazonaws.com ec2.eu-north-1.amazonaws.com ec2.me-south-1.amazonaws.com ec2.sa-east-1.amazonaws.com |
VPC Flow Logs
|
AWS Security Hub | securityhub.us-east-2.amazonaws.com securityhub.us-east-1.amazonaws.com securityhub.us-west-1.amazonaws.com securityhub.us-west-2.amazonaws.com securityhub.ap-east-1.amazonaws.com securityhub.ap-south-1.amazonaws.com securityhub.ap-northeast-2.amazonaws.com securityhub.ap-southeast-1.amazonaws.com securityhub.ap-southeast-2.amazonaws.com securityhub.ap-northeast-1.amazonaws.com securityhub.ca-central-1.amazonaws.com securityhub.eu-central-1.amazonaws.com securityhub.eu-west-1.amazonaws.com securityhub.eu-west-2.amazonaws.com securityhub.eu-west-3.amazonaws.com securityhub.eu-north-1.amazonaws.com securityhub.me-south-1.amazonaws.com securityhub.sa-east-1.amazonaws.com |
Amazon service endpoints for the United States government
AWS Service Name | Service Endpoints | Capabilities |
---|---|---|
AWS Identity and Access Management | iam.us-gov.amazonaws.com | Authentication for all AWS services listed in this table AWS resource access permissions wizard IAM Best Practices |
AWS Security Token Service | sts.us-gov-east-1.amazonaws.com sts.us-gov-west-1.amazonaws.com |
For assuming roles across multiple AWS accounts (authentication for all AWS services listed
in this table) AWS resource access permissions wizard |
AWS CloudTrail | cloudtrail.us-gov-east-1.amazonaws.com cloudtrail.us-gov-west-1.amazonaws.com |
|
Amazon Simple Storage Service | s3.us-gov-west-1.amazoneaws.com s3.us-gov-east-1.amazonaws.com |
|
Amazon Simple Notification Service | sns.us-gov-east-1.amazonaws.com sns.us-gov-west-1.amazonaws.com |
|
Amazon CloudWatch Logs | logs.us-gov-east-1.amazonaws.com logs.us-gov-west-1.amazonaws.com |
|
Amazon Elastic Compute Cloud Amazon Virtual Private Cloud |
ec2.us-gov-east-1.amazonaws.com ec2.us-gov-west-1.amazonaws.com |
VPC Flow Logs
|
AWS Security Hub | Service not available on AWS GovCloud yet |
Service endpoints for the Chinese government
AWS Service Name | Service Endpoints | Capabilities |
---|---|---|
AWS Identity and Access Management | iam.cn-north-1.amazonaws.com.cn | Authentication for all AWS services listed in this table AWS resource access permissions wizard IAM Best Practices |
AWS Security Token Service | sts.cn-north-1.amazonaws.cn sts.cn-northwest-1.amazonaws.cn |
For assuming roles across multiple AWS accounts (authentication for all AWS services listed
in this table) AWS resource access permissions wizard |
AWS CloudTrail | cloudtrail.cn-north-1.amazonaws.com.cn cloudtrail.cn-northwest-1.amazonaws.com.cn |
|
Amazon Simple Storage Service | s3.cn-north-1.amazonaws.com.cn s3.cn-northwest-1.amazonaws.com.cn |
|
Amazon Simple Notification Service | sns.cn-north-1.amazonaws.com.cn sns.cn-northwest-1.amazonaws.com.cn |
|
Amazon CloudWatch Logs | logs.cn-north-1.amazonaws.com.cn logs.cn-northwest-1.amazonaws.com.cn |
|
Amazon Elastic Compute Cloud Amazon Virtual Private Cloud |
ec2.cn-north-1.amazonaws.com.cn ec2.cn-northwest-1.amazonaws.com.cn |
VPC Flow Logs
|
AWS Security Hub | Service not available in China yet |