Faddom can monitor traffic on your Amazon AWS environment. To do so,you will need to select the VPCs you wish to discover.
Creating an IAM User
To enable discovery of AWS, you need to create a user for Faddom with the required permissions. Faddom requires read only access to your AWS environment. Once the IAM user is created, you will need to create Access Key and Secret Key for it. See AWS Account and Access Keys
You can use the following JSON policy which contains the minimum required permissions to define the IAM policy for the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FaddomAWSDiscoveryPermissions",
"Effect": "Allow",
"Action": [
"ce:GetDimensionValues",
"ce:GetCostAndUsage",
"ec2:DescribeVolumes",
"ec2:DescribeInstances",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeFlowLogs",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:ListClusters",
"ecs:ListServices",
"ecs:ListTasks",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"pricing:GetProducts",
"rds:DescribeDBInstances",
"elasticloadbalancing:DescribeTags",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
} For help on creating IAM users, see the AWS documentation here.
For help on creating IAM policies from JSON files, see the AWS documentation here.
AWS VPC Logs
Faddom can use the VPC Flow Logs feature of AWS to map your cloud environment, which is used in place of NetFlow and sFlow for on-prem. To read the flow logs, they need to be published to an S3 bucket to which Faddom has access. The permissions needed are s3:ListBucket and s3:GetObjects. You need to use the AWS Default Format and ensure the log files are in text format.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FaddomS3Permissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::[FLOW_LOGS_BUCKET]/*",
"arn:aws:s3:::[FLOW_LOGS_BUCKET]"
]
}
]
}* Note: replace {FLOW_LOGS_BUCKET} with the bucket name to which flow logs are stored
Connecting Faddom to AWS
Once you have an access key for the user, enter it in the credentials
Once inserted, you will then be able to click on SET CREDENTIALS
If you wish to use Cross Account Access (see below) ensure you check the selection box.
VPCs
Here you will be presented with a list of VPCs, ordered by the number of discovered IPs. You then select the VPCs you wish to map. If you wish to add Multiple Accounts, you can add these individually by following the above process or by assuming roles
Mapping Multiple Accounts
If you wish to add multiple accounts, you can either add the credentials each time, or if you are using an Organisation with multiple accounts, you can use the Assuming Roles feature of AWS. To set this up, you need to do the following
Choose an Origin Account. This has to be a a management account or a member account that is a delegated administrator. This is the account whose credentials will be added to Faddom and will have access to the Target Accounts.
Create an IAM user in the Origin Account with the standard IAM Permissions that Faddom requires to enable discovery
Additionally, in the Origin Account, add the below permissions
"Effect": "Allow",
"Action": "organizations:ListAccounts",
"Resource": "*"Create a policy in the Origin Account to allow assuming the role and add the below policy, then attach it to the user to be used in Faddom
Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::<target_account_ID_1>:role/FaddomCrossAccountUser",
"arn:aws:iam::<target_account_ID_2>:role/FaddomCrossAccountUser",
.
.
.
"arn:aws:iam::<target_account_ID_999>:role/FaddomCrossAccountUser",
]In each Target Account, you will need to create a role called
FaddomCrossAccountUser: and attach the below Custom Trust Policy to it."Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<origin account ID>:user/<IAM user name the credentials refer to>"
},
"Action": "sts:AssumeRole"
}]Attach the standard IAM Permissions that Faddom requires to the
FaddomCrossAccountUserrole in each Target Account to allow discovery.
AWS VPC Logs
Faddom can use the VPC Flow Logs feature of AWS to map your cloud environment, which are used in place of NetFlow and sFlow for on-prem. In order to read the flow logs they need to be published to an S3 bucket to which Faddom has access. The permissions needed are s3:ListBucket and s3:GetObjects. You need to use the AWS Default Format and ensure the log files are in text format For further information see the the AWS documentation
Logging IP traffic using VPC Flow Logs
Publish flow logs to Amazon S3
Collating Flow Logs Into One Data Source
If you have multiple accounts, you can set up the flow logs to be stored in a single S3 bucket on one of the accounts. This can then be setup on Faddom to read all the flow logs stored in the S3 bucket. In this case, Faddom only requires the credentials of the account hosting the S3 bucket.
Default Credentials
These are the credentials of the server Faddom is deployed on. This is useful when Faddom is deployed in AWS as it will default to the IAM role and credentials assigned to the EC2 instance.