Applies To: WatchGuard Total MDR
If you have a WatchGuard Total MDR license, to enable WatchGuard to monitor your AWS CloudTrail environment, you must complete the steps in this topic to set up an AWS CloudTrail connector and add the integration in the Managed Services portal.
To connect WatchGuard MDR and your AWS CloudTrail environment, complete these steps:
- Run AWS CloudFormation Automation
- Get AWS CloudTrail Values for MDR Integration
- Add the Integration in the Managed Services Portal
Run AWS CloudFormation Automation
CloudFormation automation uses AWS CloudFormation templates to automatically provision, configure, and manage AWS resources in a repeatable and consistent manner.
To run AWS CloudFormation automation:
- Download the CloudFormation Template.
- Go to the AWS Management Console at https://aws.amazon.com/ and log in with a root user for the account you want to monitor.
- In the search box, type and select CloudFormation.
The Cloud Formation dashboard opens.
- From the Create Stack drop-down list, select With New Resources (Standard).
The Create Stack page opens.
- In the Prerequisite - Prepare Template section, select Template Is Ready.
- In the Specify Template section, select Upload a Template File.
- Click Choose File.
- Select the cloudtrail-config.yml file you downloaded in Step 1.
- Click Next.
The Specify Stack Details page opens.
- Enter a Stack Name.
- To use an existing CloudTrail, from CloudTrailExists, select Yes. Type the name of the trail.
- To create a new CloudTrail, from CloudTrailExists, select No. Type a name for the trail.
- Click Next.
The Configure Stack Options page opens.
- Leave the default values for all options. Click Next.
The Review page opens.
- Scroll to the Capabilities section.
- Select the I acknowledge that AWS CloudFormation might create IAM resources with custom names check box.
- Click Create Stack.
When the automation is complete, a status message shows.
Get AWS CloudTrail Values for MDR Integration
To connect WatchGuard MDR to your AWS CloudTrail environment, you must get some values from AWS to add to the Managed Services portal.
To find the required AWS values, from AWS CloudTrail:
- In the CloudFormation console, select the new stack you created in the Run AWS CloudFormation Automation section.
- Select the Outputs tab.
The output keys show.
- Copy the CloudTrailPrefix and CloudTrailS3Bucket values and save them to add to the Managed Services portal later.
- From the navigation menu, go to AWS Secrets Manager > Secrets.
The Secrets page opens.
- Select aws-cloudtrail-user-iam-keys.
- Click Retrieve Secret Value.
- Copy these values and save them to add to the Managed Services portal later:
- AWS Account ID
- Access Key ID
- Secret Access Key
Add the Integration in the Managed Services Portal
To add the AWS integration in the Managed Services portal, use the values you copied previously from AWS CloudTrail.
To add the AWS integration, from the Managed Services portal:
- In WatchGuard Cloud, select Monitor > Managed Services.
The Managed Services portal opens in a new browser tab. - If you are a Service Provider, select your Subscriber account from the drop-down list.
- In the upper, right corner of the Managed Services portal, click
. - From the drop-down list, select Onboarding.
- From the navigation menu, select Integrations.
The Integrations page opens.
- Click Add Additional Service > AWS.
The AWS tab opens.
- In the Add an Integration section, enter the values you copied from your AWS account:
- AWS Account ID
- S3 Bucket Name
- Prefix Path
- Access Key ID
- Secret Access Key
- (Optional) In the Label text box, type a unique name for the integration.
- Click Add.
As a security best practice, we recommend that you regularly rotate the IAM credentials. For best practices and steps, go to How to Rotate Access Keys for IAM Users in the AWS documentation.