Skip to main content

Integrations

Using the AWS CloudFormation Template

Use the following AWS CloudFormation template to set up the AWS S3 bucket objects.

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Flow log bucket",
  "Parameters": {
    "Bucketname": {
      "Type": "String"
    },
    "Externalid": {
      "Type": "String",
      "Default": "528298"
    }
  },
  "Resources": {
    "FlowbucketAwsS3Bucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": {
          "Ref": "Bucketname"
        }
      }
    },
    "IllumioFlowLogsAwsIamRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": "illumio-flow-logs",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": {
            "Effect": "Allow",
            "Principal": {
              "AWS": "857003445768"
            },
            "Action": [
              "sts:AssumeRole"
            ],
            "Condition": {
              "StringEquals": {
                "Sts:ExternalId": {
                  "Ref": "Externalid"
                }
              }
            }
          }
        },
        "Policies": [
          {
            "PolicyName": "can-see-bucket",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": {
                "Effect": "Allow",
                "Sid": "illumioCanSeeBucket",
                "Action": [
                  "s3:ListBucket",
                  "s3:ListBucketVersions"
                ],
                "Resource": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:aws:s3:::",
                      {
                        "Ref": "Bucketname"
                      }
                    ]
                  ]
                }
              }
            }
          },
          {
            "PolicyName": "can-use-bucket",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": {
                "Effect": "Allow",
                "Sid": "illumioCanPutAndGet",
                "Action": [
                  "s3:PutObject",
                  "s3:GetObject"
                ],
                "Resource": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:aws:s3:::",
                      {
                        "Ref": "Bucketname"
                      },
                      "/*"
                    ]
                  ]
                }
              }
            }
          }
        ]
      }
    }
  }
}

Use the following procedure:

  1. Save the template to a .JSON file, such as illumio-flow-logs-template.json.

  2. From the AWS Console > CloudFormation Services page, select Stacks, and note the current region because the AWS S3 bucket will be created in that region.

  3. Select Create Stack, and then select With new resources (standard).

  4. Select template is ready, upload the .JSON file that you created, and click Next.

  5. Enter a name for the stack, such as illumio-flow-logs-s3-bucket-and-role.

  6. Enter a bucket name. This name must be unique among all of the other S3 buckets in that region for all AWS customers. If it is not, the stack creation will fail with the "Bucketname already exists" error message.

  7. Enter an external ID. See the following article for information about how and why to use an external Id: How to Use External ID When Granting Access to Your AWS Resources.

  8. Keep the default options for Configure stack options, and click Next.

  9. Review your configuration, check the acknowledgment, and click Submit.

    The bucket will be created along with a role called illumio-flow-logs with the appropriate permissions for the provided Illumio AWS account. You must also create a role for your SIEM to read objects from the bucket. For examples, see Configure S3 permission.