matanolabs / matano

Open source security data lake for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS
https://matano.dev
Apache License 2.0
1.46k stars 100 forks source link

Document Bring Your Own Bucket Permission requirements #84

Open MadsRC opened 1 year ago

MadsRC commented 1 year ago

The documentation for "Bring Your Own Bucket" ingestion does not include any instructions for setting permissions required for buckets and KMS resources.

One use-case is an organisation where the AWS CloudTrail bucket is hosted in one account, but Matano is deployed somewhere else.

I'd create a PR with changes to the docs once I find out what permissions is required.

timoguin commented 1 year ago

For KMS, we implemented tag-based permissions, so as long as you add a matano:trusted = true to the KMS key, that will allow kms:Decrypt and kms:GenerateDataKey permissions. For cross-account keys, you'll need to allow these permissions from whatever AWS account Matano is running in.

For S3, it needs s3:GetObject*, s3:GetBucket*, and s3:List*. If the bucket is in the same account, this will work automatically, as the permissions are set via the transformer function's IAM role, which is managed by the CDK. For cross-account, I believe the bucket policy needs to allow these permissions from whatever account Matano is in.

For S3 access logs, I don't think cross-account access will currently work due to how object-ownership is set for them. They require an IAM role to be assumed for cross-account access because of this, which is not currently exposed as a configurable option.

That should be a sufficient start.