How to integrate aws waf & inspector

[ismailctest C]

Hi,

Kindly share the steps to integrate aws waf and inspector.

WAF:

Integrated as per the below doc, but the logs are not receiving.

https://documentation.wazuh.com/current/amazon/services/supported-services/waf.html

Inspector:

Please share the doc & what configuration need to be done in aws side.

Not getting idea when checking the below link.

https://documentation.wazuh.com/current/amazon/services/supported-services/inspector.html#amazon-inspector

[ismailctest C]

Hi Team,

Please help on this.

[Jose Luis Carreras Marin]

Hello Ismail

Let's dig deeper into these problems you are having.

For the Amazon WAF configuration, have you encountered any problems in any of the steps shown in the documentation? Any errors or something that might have gone wrong? All the information you can give me will be helpful to solve the problem.
You can check the Wazuh log file (ossec.log) to see if there are any warning or error messages that can give us more clues.

For Amazon Inspector, the documentation says:
"Amazon Inspector does not need to store logs into a bucket, like the other AWS services. The inspector works as a searcher, so it retrieves information using the AWS API and provides an agent that analyzes it."
So no extra configuration file should be needed to view the vulnerabilities found.

If you can show me the Wazuh configuration file (ossec.conf) of the agent it would be very useful. Any info could be a good hint.

Regards, Jose

[ismailctest C]

Hi,

WAF configured and working fine.

Still pending Inspector configuration.

The below configuration has been done in ossec.conf of manager.

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>no</run_on_start>
  <skip_on_error>no</skip_on_error>
  <service type="inspector">
    <aws_profile>default</aws_profile>
  </service>
</wodle>

What is the next configuration and what needs to be configured/done in aws side?

[ismailctest C]

Hi,

Please help to get an update on this.

[Jose Luis Carreras Marin]

Hi Ismail,

the documentation also specifies that you need to add at least one region when you configure the AWS inspector service.
Users must specify at least a region. Multiple regions can be added separated by commas.

To add a region to the configuration, I show you an example here:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>no</run_on_start>
  <skip_on_error>no</skip_on_error>
  <service type="inspector">
    <aws_profile>default</aws_profile>

    <regions>us-east-1,us-east-2</regions>
  </service>
</wodle>

You can see the configuration in our docu:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-s3.html#service-regions

Finally, if it still doesn't work, could you show me the /var/ossec/logs/ossec.log file of the manager? Maybe there is some clue of what may be happening. 

Regards, Jose

[ismailctest C]

Hi Jose,

Please find the ossec.log

2023/03/07 04:56:14 wazuh-modulesd:aws-s3: INFO: Executing Service Analysis: (Service: inspector, Profile: default)
2023/03/07 04:56:14 wazuh-modulesd:aws-s3: WARNING: Service: inspector  -  Returned exit code 12
2023/03/07 04:56:14 wazuh-modulesd:aws-s3: WARNING: Service: inspector  -  An error occurred (AccessDeniedException) when calling the ListFindings operation: User: arn:aws:iam::21247xxxxxx:user/wazuh-SIEM is not authorized to perform: inspector:ListFindings because no identity-based policy allows the inspector:ListFindings action
2023/03/07 04:56:14 wazuh-modulesd:aws-s3: INFO: Fetching logs finished.

[Jose Luis Carreras Marin]

Hello Ismail,

It is necessary to set the name of the profile that has access to the aws service. You need to specify it in the configuration line:
<aws_profile>default</aws_profile>\

Docu link:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-s3.html#service-aws-profile