Firewall URL requirements for Amazon AWS

If your IBM® QRadar® Console is behind a restricted firewall, you must allow traffic to specific Amazon AWS URLs so that you can use the full features of IBM QRadar Cloud Visibility.

During configuration, QRadar Cloud Visibility tries to connect to only the iam.amazonaws.com and sts.amazonaws.com endpoints. After the IAM configuration is completed, then QRadar Cloud Visibility tries to connect to the other service endpoints.

Minimum service endpoints to allow through your firewall

At a minimum, you must allow traffic to the following service endpoints:
  • iam.amazonaws.com
  • sts.amazonaws.com
  • s3.amazonaws.com
  • cloudtrail.{region}.amazonaws.com
  • ec2.{region}.amazonaws.com
  • sns.{region}.amazonaws.com
  • sqs.{region}.amazonaws.com
  • logs.{region}.amazonaws.com
  • securityhub.{region}.amazonaws.com
For service endpoints that contain {region} in the name, replace {region} with the relevant values from the following list:
  • ap-northeast-1
  • ap-northeast-2
  • ap-northeast-3
  • ap-south-1
  • ap-southeast-1
  • ap-southeast-2
  • ca-central-1
  • eu-central-1
  • eu-north-1
  • eu-west-1
  • eu-west-2
  • eu-west-3
  • sa-east-1
  • us-east-1
  • us-east-2
  • us-west-1
  • us-west-2
For example, for the CloudTrail service, QRadar Cloud Visibility tries to connect to the endpoints in the following list.
  • cloudtrail.us-east-1.amazonaws.com
  • cloudtrail.us-east-2.amazonaws.com
  • cloudtrail.us-west-1.amazonaws.com
  • cloudtrail.us-west-2.amazonaws.com

AWS endpoints mapped to capabilities

The following table maps the AWS service names and endpoints with the capabilities in QRadar Cloud Visibility.

AWS Service Name Service Endpoints Capabilities
AWS Identity and Access Management iam.amazonaws.com Authentication for all AWS services listed in this table.

AWS resource access permissions wizard

IAM Best Practices

AWS Security Token Service sts.amazonaws.com

For assuming roles across multiple AWS accounts (authentication for all AWS services listed in this table)

AWS resource access permissions wizard

AWS CloudTrail

cloudtrail.us-east-2.amazonaws.com

cloudtrail.us-east-1.amazonaws.com

cloudtrail.us-west-1.amazonaws.com

cloudtrail.us-west-2.amazonaws.com

cloudtrail.ap-east-1.amazonaws.com

cloudtrail.ap-south-1.amazonaws.com

cloudtrail.ap-northeast-3.amazonaws.com

cloudtrail.ap-northeast-2.amazonaws.com

cloudtrail.ap-southeast-1.amazonaws.com

cloudtrail.ap-southeast-2.amazonaws.com

cloudtrail.ap-northeast-1.amazonaws.com

cloudtrail.ca-central-1.amazonaws.com

cloudtrail.eu-central-1.amazonaws.com

cloudtrail.eu-west-1.amazonaws.com

cloudtrail.eu-west-2.amazonaws.com

cloudtrail.eu-west-3.amazonaws.com

cloudtrail.eu-north-1.amazonaws.com

cloudtrail.me-south-1.amazonaws.com

cloudtrail.sa-east-1.amazonaws.com

Utilities for configuring AWS services for QRadar > Log Sources > CloudTrail Logs
Amazon Simple Storage Service s3.amazonaws.com Utilities for configuring AWS services for QRadar > Log Sources > CloudTrail Logs

Utilities for configuring AWS services for QRadar > Log Sources > VPC Flow Logs

Amazon Simple Notification Service sns.us-east-2.amazonaws.com

sns.us-east-1.amazonaws.com

sns.us-west-1.amazonaws.com

sns.us-west-2.amazonaws.com

sns.ap-east-1.amazonaws.com

sns.ap-south-1.amazonaws.com

sns.ap-northeast-3.amazonaws.com

sns.ap-northeast-2.amazonaws.com

sns.ap-southeast-1.amazonaws.com

sns.ap-southeast-2.amazonaws.com

sns.ap-northeast-1.amazonaws.com

sns.ca-central-1.amazonaws.com

sns.eu-central-1.amazonaws.com

sns.eu-west-1.amazonaws.com

sns.eu-west-2.amazonaws.com

sns.eu-west-3.amazonaws.com

sns.eu-north-1.amazonaws.com

sns.me-south-1.amazonaws.com

sns.sa-east-1.amazonaws.com

Utilities for configuring AWS services for QRadar > Log Sources > CloudTrail Logs

Utilities for configuring AWS services for QRadar > Log Sources > VPC Flow Logs

Amazon CloudWatch Logs logs.us-east-2.amazonaws.com

logs.us-east-1.amazonaws.com

logs.us-west-1.amazonaws.com

logs.us-west-2.amazonaws.com

logs.ap-east-1.amazonaws.com

logs.ap-south-1.amazonaws.com

logs.ap-northeast-3.amazonaws.com

logs.ap-northeast-2.amazonaws.com

logs.ap-southeast-1.amazonaws.com

logs.ap-southeast-2.amazonaws.com

logs.ap-northeast-1.amazonaws.com

logs.ca-central-1.amazonaws.com

logs.eu-central-1.amazonaws.com

logs.eu-west-1.amazonaws.com

logs.eu-west-2.amazonaws.com

logs.eu-west-3.amazonaws.com

logs.eu-north-1.amazonaws.com

logs.me-south-1.amazonaws.com

logs.sa-east-1.amazonaws.com

Utilities for configuring AWS services for QRadar > Log Sources > GuardDuty Logs

Amazon Elastic Compute Cloud

Amazon Virtual Private Cloud

ec2.us-east-2.amazonaws.com

ec2.us-east-1.amazonaws.com

ec2.us-west-1.amazonaws.com

ec2.us-west-2.amazonaws.com

ec2.ap-east-1.amazonaws.com

ec2.ap-south-1.amazonaws.com

ec2.ap-northeast-3.amazonaws.com

ec2.ap-northeast-2.amazonaws.com

ec2.ap-southeast-1.amazonaws.com

ec2.ap-southeast-2.amazonaws.com

ec2.ap-northeast-1.amazonaws.com

ec2.ca-central-1.amazonaws.com

ec2.eu-central-1.amazonaws.com

ec2.eu-west-1.amazonaws.com

ec2.eu-west-2.amazonaws.com

ec2.eu-west-3.amazonaws.com

ec2.eu-north-1.amazonaws.com

ec2.me-south-1.amazonaws.com

ec2.sa-east-1.amazonaws.com

VPC Flow Logs

Utilities for configuring AWS services for QRadar > Log Sources > VPC Flow Logs

Utilities for configuring AWS services for QRadar > Network Hierarchy

AWS Security Hub securityhub.us-east-2.amazonaws.com

securityhub.us-east-1.amazonaws.com

securityhub.us-west-1.amazonaws.com

securityhub.us-west-2.amazonaws.com

securityhub.ap-east-1.amazonaws.com

securityhub.ap-south-1.amazonaws.com

securityhub.ap-northeast-2.amazonaws.com

securityhub.ap-southeast-1.amazonaws.com

securityhub.ap-southeast-2.amazonaws.com

securityhub.ap-northeast-1.amazonaws.com

securityhub.ca-central-1.amazonaws.com

securityhub.eu-central-1.amazonaws.com

securityhub.eu-west-1.amazonaws.com

securityhub.eu-west-2.amazonaws.com

securityhub.eu-west-3.amazonaws.com

securityhub.eu-north-1.amazonaws.com

securityhub.me-south-1.amazonaws.com

securityhub.sa-east-1.amazonaws.com

AWS Offense Overview > Send to AWS Security Hub

Amazon service endpoints for the United States government

AWS Service Name Service Endpoints Capabilities
AWS Identity and Access Management iam.us-gov.amazonaws.com Authentication for all AWS services listed in this table

AWS resource access permissions wizard

IAM Best Practices

AWS Security Token Service sts.us-gov-east-1.amazonaws.com

sts.us-gov-west-1.amazonaws.com

For assuming roles across multiple AWS accounts (authentication for all AWS services listed in this table)

AWS resource access permissions wizard

AWS CloudTrail cloudtrail.us-gov-east-1.amazonaws.com

cloudtrail.us-gov-west-1.amazonaws.com

Utilities for configuring AWS services for QRadar > Log Sources > CloudTrail Logs
Amazon Simple Storage Service s3.us-gov-west-1.amazoneaws.com

s3.us-gov-east-1.amazonaws.com

Utilities for configuring AWS services for QRadar > Log Sources > CloudTrail Logs

Utilities for configuring AWS services for QRadar > Log Sources > VPC Flow Logs

Amazon Simple Notification Service sns.us-gov-east-1.amazonaws.com

sns.us-gov-west-1.amazonaws.com

Utilities for configuring AWS services for QRadar > Log Sources > CloudTrail Logs

Utilities for configuring AWS services for QRadar > Log Sources > VPC Flow Logs

Amazon CloudWatch Logs logs.us-gov-east-1.amazonaws.com

logs.us-gov-west-1.amazonaws.com

Utilities for configuring AWS services for QRadar > Log Sources > GuardDuty Logs
Amazon Elastic Compute Cloud

Amazon Virtual Private Cloud

ec2.us-gov-east-1.amazonaws.com

ec2.us-gov-west-1.amazonaws.com

VPC Flow Logs

Utilities for configuring AWS services for QRadar > Log Sources > VPC Flow Logs

Utilities for configuring AWS services for QRadar > Network Hierarchy

AWS Security Hub Service not available on AWS GovCloud yet  

Service endpoints for the Chinese government

AWS Service Name Service Endpoints Capabilities
AWS Identity and Access Management iam.cn-north-1.amazonaws.com.cn Authentication for all AWS services listed in this table

AWS resource access permissions wizard

IAM Best Practices

AWS Security Token Service sts.cn-north-1.amazonaws.cn

sts.cn-northwest-1.amazonaws.cn

For assuming roles across multiple AWS accounts (authentication for all AWS services listed in this table)

AWS resource access permissions wizard

AWS CloudTrail cloudtrail.cn-north-1.amazonaws.com.cn

cloudtrail.cn-northwest-1.amazonaws.com.cn

Utilities for configuring AWS services for QRadar > Log Sources > CloudTrail Logs
Amazon Simple Storage Service s3.cn-north-1.amazonaws.com.cn

s3.cn-northwest-1.amazonaws.com.cn

Utilities for configuring AWS services for QRadar > Log Sources > CloudTrail Logs

Utilities for configuring AWS services for QRadar > Log Sources > VPC Flow Logs

Amazon Simple Notification Service sns.cn-north-1.amazonaws.com.cn

sns.cn-northwest-1.amazonaws.com.cn

Utilities for configuring AWS services for QRadar > Log Sources > CloudTrail Logs

Utilities for configuring AWS services for QRadar > Log Sources > VPC Flow Logs

Amazon CloudWatch Logs logs.cn-north-1.amazonaws.com.cn

logs.cn-northwest-1.amazonaws.com.cn

Utilities for configuring AWS services for QRadar > Log Sources > GuardDuty Logs
Amazon Elastic Compute Cloud

Amazon Virtual Private Cloud

ec2.cn-north-1.amazonaws.com.cn

ec2.cn-northwest-1.amazonaws.com.cn

VPC Flow Logs

Utilities for configuring AWS services for QRadar > Log Sources > VPC Flow Logs

Utilities for configuring AWS services for QRadar > Network Hierarchy

AWS Security Hub Service not available in China yet