search

wazuh / wazuh-kubernetes

Wazuh - Wazuh Kubernetes
https://wazuh.com/
GNU General Public License v2.0
246 stars 151 forks source link

S3 permissions to Wazuh via service account #625

Open anjanaradhakrishnan opened 5 months ago

anjanaradhakrishnan commented 5 months ago

We need to achieve the Wazuh Integration with S3 using Kubernetes Service account. I'm trying to annotate a k8s service account with an IAM role. For that I have created a role with trust relationship(Which Authenticates the AWS services with Cluster Pods) and necessary permissions and created a service account with the created role ARN.

apiVersion: v1
kind: ServiceAccount
metadata:
    name: wazuh-service-account
    namespace: wazuh
    annotations:
        eks.amazonaws.com/role-arn: "arn:aws-us-gov:iam::xxx:role/wazuh-ph-sa-role"

In the deployment file of wazuh-Manager added the service account.

spec:
  serviceAccountName: wazuh-service-account

This is working and I'm able to access the s3 bucket from the Wazuh Manager pod while doing aws s3 ls. But Not sure why the wazuh is not able access the bucket, We are getting the below error in integration.log file 2024/03/11 10:26:14 wazuh-modulesd:aws-s3: WARNING: Bucket: - An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid This is the integration added in the ossec.conf

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>1m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="cloudtrail">
    <name>cloudtrail</name>
  </bucket>
  <bucket type="guardduty">
    <name>guardduty</name>
  </bucket>  
</wodle>
infosith commented 4 months ago

This is just a guess as I am trying to get aws monitoring setup as well but I think that you need to let your wodle config know of the role

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>1m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="cloudtrail">
    <name>cloudtrail</name>
  </bucket>
  <bucket type="guardduty">
    <name>guardduty</name>
    <iam_role_arn>"arn:aws-us-gov:iam::xxx:role/wazuh-ph-sa-role"</iam_role_arn>
  </bucket>  
</wodle>

Again I'm just guessing as I am going through the motions of implementing the same type of integration and I am researching the best way to go about when I saw this issue here. Please share if it solves the issue. -

infosith commented 4 months ago

Also .... I came across this for EKS that I think its probably the best way of doing it https://docs.aws.amazon.com/eks/latest/userguide/pod-id-how-it-works.html

Its an addon that seems to simplify things here

hmmm not sure why it does not work i get this on the logs

Apr 18, 2024 @ 11:37:15.000 wazuh-modulesd:aws-s3 WARNING Bucket: 1111111111(mybucket) - Unsupported host '169.254.170.23'. Can only retrieve metadata from these hosts: 169.254.170.2, localhost, 127.0.0.1

I wonder if wazuh aws integration supports the right aws sdk version or if it trully requires the actual .aws/credential with the token info on the root diretory of the container