Enable AWS Organisations integration to link root account with Cortex XSIAM

[richgreen-moj]

User Story

As a SOC engineer I want to enrich the information in security alerts in Cortex XSIAM So that I have more detailed information e.g. can identify which application/owner is affected

Value / Purpose

Following some engagement with the SOC in https://github.com/ministryofjustice/modernisation-platform/issues/7605 it was decided that we should explore using the AWS Organisations Integration to link the root account (MOJ Master) with Cortex XSIAM as the SOC feel this would better enrich the info in the alerts they are getting for AWS accounts.

Useful Contacts

@ashwinmoj @richgreen-moj @davidkelliott

Additional Information

• AWS Orgs Integration docs: https://xsoar.pan.dev/docs/reference/integrations/aws---organizations

• For instructions on setting up integrations, see AWS Integrations - Authentication

• We should consider the impact of integrating with XSIAM, and do if appropriate.

• Careful consideration should be given on the permissions provided (i.e. limit to read-only "list" type actions)

For more context contact Ashwin John ashwinmoj

This will also require input from the root account team #aws-root-account in slack

Definition of Done

• [x] Review docs and best way to enable the integration
• [x] Decide on appropriate permissions to be given
• [x] Create relevant infra in the root account (user/roles etc.)
• [x] Work with SOC/Ashwin to enable the integration in Cortex Xsiam (handover credentials)
• [x] Verify that the SOC are able to query the API through the integration
• [x] Update any documentation as required

[ashwinmoj]

I will be on annual leave for two weeks starting from next week and will return on September 30th. During my absence, @YasJustice/ yaasseen.aumeer@justice.gov.uk from the MIP team will be available for any assistance or inquiries related to these tickets.

[richgreen-moj]

Documentation has been reviewed. The guide says: "When self hosted outside the AWS environment in a remote network, the AWS Integrations should use: Access Key and Secret Key authentication option." As Cortex XSIAM is hosted outside of AWS we will need to follow this strategy.

[richgreen-moj]

I raised Add Cortex XSOAR Integration User ministryofjustice/aws-root-account#993 to create a user with read/list only permissions to the organizations account.

I am reaching out to yaasseen.aumeer@justice.gov.uk to discuss exchanging some access keys and creating the integration in the Cortex XSOAR app.

[richgreen-moj]

Having created a user with relevant permissions in the moj-master account, @ewastempel generated a set of keys so that I could share them with Yaasseen.

We set up the integration over a teams call and Yaasseen tested it by querying the org. He was able to retrieve a list of all the AWS accounts in the organisation and their respective tags etc. directly in the XSIAM app 👍

I'll raise a follow-on ticket for looking at how we approach the long-term management of identities shared with the XSIAM app going forward.

[richgreen-moj]

Follow-on issue raised to look at long-term management of credentials https://github.com/ministryofjustice/modernisation-platform-security/issues/24

[Khatraf]

Reviewed – All criteria in the definition of done have been met, and user have confirmed that everything works as intended. I have verified that their access keys were used today and that they have been assigned read-only permissions to AWS Org so I'm happy to close this.