This guide walks you through enabling AWS Security Hub CSPM, AWS GuardDuty, and the new AWS Security Hub, configuring integrations to accept GuardDuty findings, and creating an AWS Access Key and Secret for API access for the purpose of retrieving AWS Compliance Findings, Threats, Inventory and Indicators of Misconfiguration. ## Enable Required AWS Services Note on finding types: - Security Hub CSPM: Compliance findings (compliance) - GuardDuty: Detection findings (threats) - Amazon Macie: Detection findings (sensitive data and policy) ### 1. Enable AWS Security Hub CSPM Enable the Security Hub CSPM service in your target AWS account and Region. See: [Enabling Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html). ### 2. Enable AWS GuardDuty Enable GuardDuty in the same account and Region as Security Hub. See: [Getting started with GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html). ### 3. Enable the new AWS Security Hub (non-CSPM) Enable the standard Security Hub service (separate from CSPM) in the same account and Region. See: [Enabling Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html). ### 4. Enable Amazon Macie and publish findings to Security Hub Enable Amazon Macie in the same account and Region. When both Macie and Security Hub are enabled, Macie automatically publishes findings to Security Hub; you can customize publication settings if needed. See: [Evaluating Macie findings with AWS Security Hub](https://docs.aws.amazon.com/macie/latest/user/securityhub-integration.html#securityhub-integration-enable). ### 5. Configure Integrations to accept findings 1. In the AWS console, open Security Hub (not CSPM) and go to **Integrations**. 2. For **Amazon: GuardDuty**, verify **Status** shows **Accepting findings**; if not, choose **Accept findings**. 3. Repeat the same verification in Security Hub CSPM. See: [Integrating with AWS Security Hub](https://docs.aws.amazon.com/guardduty/latest/ug/securityhub-integration.html). ## AWS Credentials Configuration Synqly supports two methods for authenticating with AWS: static credentials (IAM user access keys) and role-based access (IAM role assumption). Role-based access is recommended for production environments because it uses short-lived credentials and provides better auditability through CloudTrail. Role-Based Access ### Role-Based Access Role-Based access is recommended and is considered an [AWS best practice](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles). Role-based access uses AWS IAM roles to grant Synqly temporary credentials to access resources in your AWS account. This eliminates long-lived credentials and provides better security through the principle of least privilege. #### 1. Create an IAM Role Create a role in your AWS account with a name that starts with `SynqlyAccess` (for example, `SynqlyAccessS3Reader`). This naming convention is required. 1. In the AWS IAM console, go to **Roles** and choose **Create role**. 2. For trusted entity type, choose **Custom trust policy**. 3. Enter the following trust policy: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::733459310821:role/SynqlyIntegrationAccess" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "YOUR_EXTERNAL_ID" } } } ] } ``` Replace `YOUR_EXTERNAL_ID` with a unique identifier you generate (for example, a UUID). You will provide this External ID when configuring the integration. 1. Name the role with a `SynqlyAccess` prefix (for example, `SynqlyAccessMyIntegration`). 2. Attach the appropriate permissions policy for your use case. 3. Create the role and note its ARN. For more details, see: - [Access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) - [Create a role using custom trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) ### External ID Requirements The External ID is a security mechanism that prevents the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html). It ensures that only authorized requests from Synqly can assume your role. The External ID must contain only the following characters: - Alphanumeric characters (a-z, A-Z, 0-9) - Special characters: `+ = , . @ : / -` - Must be between 2 and 1224 characters in length ### Configuring the Integration Credentials When creating an AWS integration in Synqly, provide the following configuration values based on your chosen authentication method. | Credential Parameter | Description | | --- | --- | | Role ARN | The ARN of the IAM role you created, for example `arn:aws:iam::123456789012:role/SynqlyAccessMyIntegration`. The role name must start with `SynqlyAccess` | | External ID | The External ID you specified in the role's trust policy. This value must match exactly | | Role Session Name | **OPTIONAL:** A name for the role session. If not specified, Synqly generates a default session name | | Duration | **OPTIONAL:** The duration of the role session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration configured on your role (default is 1 hour) | Static Credentials (IAM User) ### Static Credentials (IAM User) AWS static credentials are **NOT RECOMMENDED** for production systems. See the [AWS best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-workloads-use-roles) for more details. Static credentials consist of an Access Key ID and Secret Access Key associated with an IAM user. Use this method for simpler setups. #### 1. Create an IAM User 1. In the AWS IAM console, go to **Users** and choose **Create user**. 2. Enter a user name (for example, `SynqlyIntegration`). 3. Do not enable console access; this user only needs programmatic access. 4. Under permissions, choose **Attach policies directly** and attach the appropriate policy for your use case. 5. Create the user. #### 2. Create an Access Key 1. Open the newly created user and choose **Create access key**. 2. For the use case, choose **Third-party service**. 3. Create the key and securely copy the **Access Key ID** and **Secret Access Key**. For more details, see: - [Managing access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) - [How an IAM administrator can manage IAM user access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-keys-admin-managed.html). ### Configuring the Integration Credentials When creating an AWS integration in Synqly, provide the following configuration values based on your chosen authentication method. | Credential Parameter | Description | | --- | --- | | Access Key ID | The Access Key ID from your IAM user's access key pair | | Secret Access Key | The Secret Access Key from your IAM user's access key pair | | Session Token | **OPTIONAL:** A temporary session token. Only required if you are using temporary credentials from AWS STS. | ## Configure the Integration Create your integration by supplying the following configuration values. | Integration Parameter | Description | | --- | --- | | Region | This is the AWS Region where Security Hub and GuardDuty are enabled. |