Manually Configure CloudSecure to Fetch Flow Logs
This topic provides an overview of manually setting up Illumio CloudSecure to fetch flow logs stored in custom S3 bucket paths.
CloudSecure uses flow logs to display the flows. Granting access to flow logs allows CloudSecure to use these flow logs. For instructions on how to grant flow log access to Illumio, see the in-application help. For instructions on how to enable flow logs see Grant Flow Log Access.
Overview
CloudSecure supports flow logs stored in a custom S3 bucket path when the permissions to read this path are provided to the CloudSecure role. You can manually add permissions to the Illumio CloudSecure role so it can fetch the flow logs present in these custom directories and provide traffic data.
When you grant permission to read flow logs from custom S3 buckets, the CloudFormation template creates two new policy documents:
-
IllumioCloudBucketListPolicy - Grants Permission to List the items within the bucket and get the location in which bucket is located.
-
IllumioCloudBucketReadPolicy - Grants permission to Get the objects from the list of provided buckets.
IllumioBucketReadPolicy does not require any change. It adds read permission to the bucket to that specific path. However, IllumioBucketListPolicy needs to be modified as described below.
Add a Destination with a Custom Path to the CloudFormation Template
By default, the VPC flow logs going to the S3 bucket are shown in the By Log Destination view. However, the flow log which is sent to an S3 destination within a custom directory will be shown only in the By Log Source view. Use the following steps to add a destination:
-
Copy the name of destination, with the full path, to the custom directory e.g.,
arn:aws:s3:::bucketname/customdirectory
. -
From the By Log Destination view, click Grant Access to open the CloudFormation stack page in the AWS console.
-
Add the S3 bucket with the custom destination in the
S3Buckets
parameter, along with the values already populated by CloudSecure. (The parameter is a comma separated list, so add a comma before adding the S3 bucket with custom path to the existing value.) -
Run the template.
Once the template runs successfully, the status will show as granted for the flow log configuration in CloudSecure under the By log Source page.
Update the IllumioBucketListPolicy Document
To update the document:
-
In the AWS Console, open Services > Iam > Roles and select the Role name.
The default Role name is IllumioCloudIntegrationRole. Illumio created this role name when you onboarded Illumio and granted flow log access permissions.
-
Under the Permissions, select IllumioCloudBucketListPolicy.
-
The contents of IllumioCloudBucketListPolicy might look something like this:
-
Remove the S3 bucket with the custom prefix from the common statement, and replace it with
Sid: IllumioBucketListAccess2
. Create new statements under the policy document as seen below. -
Finally, ensure that the IllumioCloudBucketListPolicy file has the policies seen below.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket2",
"arn:aws:s3:::bucket3",
"arn:aws:s3:::bucket4/custompath/second-dir",
],
"Effect": "Allow",
"Sid": "IllumioBucketListAccess"
}
]
}
{
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::bucket4"
],
"Effect": "Allow",
"Sid": "IllumioBucketListAccess2"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket4"
],
"Condition": {
"StringLike": {
"s3:prefix": "custompath/second-dir/*"
}
},
"Effect": "Allow",
"Sid": "IllumioBucketListAccess3"
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket2",
"arn:aws:s3:::bucket3",
],
"Effect": "Allow",
"Sid": "IllumioBucketListAccess"
},
{
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::bucket4"
],
"Effect": "Allow",
"Sid": "IllumioBucketListAccess2"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket4"
],
"Condition": {
"StringLike": {
"s3:prefix": "custompath/second-dir/*"
}
},
"Effect": "Allow",
"Sid": "IllumioBucketListAccess3"
}
]
}
Adding this permission grants CloudSecure the required permissions to read flow logs from the custom directories under an S3 bucket.