Forensic

IRSA Setup for Cross-Account Access to S3 Bucket.

1. Setup Overview

This document outlines the steps required to configure cross-account access to an Amazon S3 bucket. The setup involves Client Account Configuration:

Client Account Configuration

1.1.1. S3 Bucket Creation

1. Log in to the AWS Management Console using credentials for the client account.

2. Navigate to the S3 service.

3. Click on the "Create bucket" button.
4. In the general configuration provide a unique name for the S3 bucket in the "Bucket name" field. Ensure the name complies with S3 naming conventions (e.g., no spaces, all lowercase).
5. Make sure to select the block all public access to create the private s3 bucket.
6. Rest the settings will be in default.

7. Click "Create bucket" to finalize the creation process.

1.1.2. IAM Policy to Access S3 Bucket

1. Log in to the AWS Management Console using credentials for the client account.

3. Select Policies

4. Click on Create policy

5. In the policy editor select json file and paste the below json file

   Copy

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "s3:GetObject",
           "s3:ListBucket",
           "s3:PutObject"
         ],
         "Resource": [
           "arn:aws:s3:::<bucket-name>",
           "arn:aws:s3:::<bucket-name>/*"
         ]
       }
     ]
   }

   Replace <bucket-name> with the name of the S3 bucket. Here, In this policy “Action” we have used GetObject, ListBucket & PutObject.

   s3:GetObject(Optional):

   • This permission allows reading the content of objects (files or data) stored in the S3 bucket.

   • With this permission, a user or application can download or retrieve specific files & files content from the bucket.

   • Note: This can be avoided.

   ListBucket(Mandatory):

   • This permission allows listing the objects (files) in the S3 bucket.

   • It enables the user or application to see what files are stored in the bucket, including their names and metadata like size.

   • Note: This does not provide access to the content of the files, only the ability to list what is available in the bucket.

   PutObject(Mandatory):

   • This permission allows uploading new files to the S3 bucket or overwriting existing files.

   • With this permission, a user or application can upload data or modify (update) existing files in the bucket.
6. Click on Next

7. provide the policy name in policy details
8. click on Create policy

1.1.3. IAM Role to attach the IAM policy & trust policy

An IAM role in the client account, granting permissions to access the S3 bucket. Below is the steps to create IAM Role:

1. Log in to the AWS Management Console using credentials for the client account.

3. Click on the "Create role" button.
4. Select “Trusted entity type” AWS account
5. Select the Account ID: 533267283737
6. Click On Next

7. In the Add permissions steps select the policy which you have created above
8. Provide the Role name
9. Click on the Create role

10. Once the role has been created open the role which you have just created and go to the Trust Relationship and click on Edit trust policy

    Edit the below trust policy then click on update policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::533267283737:role/swift-assume-role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Customers need to provide the following details to the system admin for configuration:

1. Bucket Name: The name of the S3 bucket created.

2. Region: The AWS Region where the bucket is located.

3. Role ARN: The Amazon Resource Name (ARN) of the role with permissions to write to the S3 bucket.

Adding a Forensic Integration

1. Navigate to the Integration Section:

   • Open your application dashboard.

   • Locate and click on the "Integration" section from the main menu.

2. Access Forensic Options:

   • Within the Integration section, find and click on "Forensic".

3. Initiate Adding a New Forensic Integration:

   • Click on the "Add Forensic" button. This will open a popup window.

Provide Forensic Integration Details:

• Role ARN: Enter the Amazon Resource Name (ARN) for the role that has the necessary permissions.

• Bucket Name: Specify the name of the S3 bucket where forensic data will be stored.

• Region: Select or enter the AWS region where the S3 bucket is located.

Save the Configuration:

• After entering all the required details, click the "Save" button to finalize and save the forensic integration.

Once the customer has provided the necessary details, the system admin will configure the alert system to use the specified S3 bucket.

Alert Handling

When an alert is generated and deemed highly sensitive, the system will perform the following actions:

1. Capture Evidence:

   • The system will take the alert details.

2. Save as .txt File:

   • The alert details will be saved as a .txt file.

3. Store in S3:

   • The .txt file will be uploaded to the configured S3 bucket.

   • The system will generate a URL for the uploaded file.

   • To view the generated URL go to Alerts-Extension-click on the event you want to see-view data for the URL.