circle-check
Radiant Cases is here! Manage & investigate alerts in one place.
Learn morearrow-up-right
search
ProductBook a demoOpen app

AWS API

Connect your AWS account to streamline alert triage and threat analysis.

In this guide, you will learn how to connect Radiant to your AWS account using the AWS API connector. While Radiant already leverages AWS CloudTrail for logging and event history, CloudTrail has inherent limitations when it comes to answering real-time, resource-level questions during alert triage.

For example, CloudTrail does not provide the current state of a resource's configuration—such as the active permissions on an S3 bucket or the current association of an ACL rule to a group, which may have been set years before any recent activity. The AWS API connector fills this gap by enabling Radiant to make direct HTTP queries to the AWS API, retrieving up-to-date access policies, user privileges, and resource configurations at investigation time - resulting in faster and more accurate threat analysis.

circle-info

Note: Enabling this connector requires creating an IAM role in your AWS environment. If your organization requires a change request approval process before modifying AWS configurations, we recommend initiating that process before proceeding with the steps below.

hashtag
Add the credentials in Radiant Security

  1. Log in to Radiant Securityarrow-up-right.

  2. From the navigation menu, select Settings > Credentials and click + Add Credential.

  3. Select Amazon Web Services API from the list and click Configure Credential.

  4. Under Credential Name, give the credential an identifiable name (e.g. AWS API Credentials).

  5. Under AWS Accounts, you have two options for adding your accounts:

    • If you are using AWS Organizations, you can export a .csv file containing all your AWS Account IDs by following these instructionsarrow-up-right. Once the file is generated, drag and drop it into the upload box.

    • If you prefer to add accounts individually, select + Add Manually to enter each account ID one at a time.

  6. Click Add Credential to save the changes.

hashtag
Add the AWS API data connector in Radiant Security

  1. From the navigation menu, select Settings > Data Connectors and click + Add Connector.

  2. Search for and select the Amazon Web Services API option and then click Data Feeds.

  3. Under Select your data feeds, select AWS HTTP API and click Credentials.

  4. From the drop-down menu, select the Amazon Web Services API credential that you created in the previous section.

  5. Click Add Connector to save the changes.

  6. In the Data Connectors page, find the AWS API connector and click View Details.

  7. Copy the AWS External Role ID. You'll use this value for the creation of the IAM role in the upcoming steps.

circle-info

Note: There are two ways to create an IAM Role on your AWS account. If you are using AWS Organizations, we recommend following the StackSets instructions below.

hashtag
Option 1: Configure the IAM Role manually

  1. Sign in to the AWS Management Console on the main account.

  2. Navigate to IAM.

  3. Click Policies > Create Policy.

  4. Under Specify Permission, select the JSON format and paste the JSON below:

  1. Enter a policy name, review the settings, and select Create policy.

  2. Navigate to the Roles page and select Create role.

  3. On the Select trusted entity page, configure the following:

    • For Trusted entity type, select Custom trust policy to allow Radiant to assume this role and access the account.

    • For Custom trust policy, paste the following JSON into the text box:

circle-info

Note: Replace {RS_CREDENTIAL_ID} with the AWS External Role ID generated during the Radiant credential setup.

  1. On the Add permissions page, find and select the policy you created for this role.

  2. Set the role name as radiant-aws-api-access-role, review the settings, and select Create role.

hashtag
Option 2: Configure the IAM Role via StackSets

AWS CloudFormation StackSetsarrow-up-right enables organizations to deploy infrastructure consistently across multiple AWS accounts and regions.

  1. In your main AWS Organization account, navigate to CloudFormation and select StackSets.

  2. Select Create StackSet.

  3. Download the CloudFormation template file: rs_iam_role.yml below:

file-download
4KB
rs_iam_role.yml
arrow-up-right-from-squareOpen

  1. Open the file and replace {RS_CREDENTIAL_ID} with the AWS External Role ID generated during the Radiant credential setup.

  2. In the Permissions section, select Service-managed permissions.

  3. In the Prerequisite - Prepare template section, select Template is ready.

  4. In the Specify template section, select Upload a template file and upload the CloudFormation template file you downloaded and edited in step 4.

  1. Specify the StackSet name and parameters and click Next.

  2. In the Capabilities section, acknowledge that IAM resources will be created.

  3. In the Deployment targets section, select one of the following options:

    • To deploy the StackSet across your entire organization, select Deploy to organization.

    • To deploy the StackSet to specific accounts only, select Deploy to organizational units (OUs). Enter the AWS OU IDs for the target accounts, then, under Account filter type - optional, select the Intersection filter and add the account numbers you want to deploy the StackSet to.

  1. In the Specify regions section, add all the regions where the StackSet should be deployed.

  2. Review your configuration and select Submit to deploy the StackSet.

PreviousAWSNextAWS CloudTrail and GuardDuty

Last updated

Was this helpful?