Exporting alerts to the Console via S3 & SQS

1. S3

Create an S3 bucket to store alerts. Note the bucket name and region.

The Capsule8 Console requires the following permissions to access the bucket:

• s3:ListBucket
• s3:GetObject
• s3:GetBucketLocation

The Capsule8 Sensor requires these permissions to write to the bucket:

• s3:CreateBucket 
• s3:PutObject 

2. SQS

Create an SQS queue to notify the Console of new alerts.

The SQS queue policy should grant sqs:SendMessage access to the alert bucket. An SQS queue is required for the Console to receive alerts.

The Capsule8 Console requires the following permissions to access the queue:

•  sqs:ReceiveMessage 
•  sqs:DeleteMessage 

3. Console

After the Console has been installed add these settings to the configuration file :

console:
  # ...
  alert_blob_storage_enabled: true
  alert_blob_storage_bucket_name: mycompany-capsule8-alerts
  alert_sqs_queue_url: https://sqs.us-east-1.amazonaws.com/135591589592/mycompany-capsule8-alerts-AlertQueue

4. Sensors

Change the Capsule8 Sensor configuration to export alert data to s3. Consult our guide to configuring the Sensor for details.

5. IAM

Sensor IAM policy

This example IAM policy will grant the Sensor write-only access to the bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:CreateBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::mycompany-capsule8-alerts",
                "arn:aws:s3:::mycompany-capsule8-alerts/*",
            ],
            "Effect": "Allow"
        }
    ]
}

Console IAM policy

This example IAM policy will grant the Console necessary permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation",
                "sqs:SendMessage"
            ],
            "Resource": [
                "arn:aws:s3:::mycompany-capsule8-alerts",
                "arn:aws:s3:::mycompany-capsule8-alerts/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage"
            ],
            "Resource": "arn:aws:sqs:us-east-1:135591589592:mycompany-capsule8-alerts-AlertQueue",
            "Effect": "Allow"
        }
    ]
}

For infrastructure outside of AWS

If your infrastructure is not in AWS, create new AWS IAM users for the above policies and grant them to the appropriate user. In the environment where the Console or Sensor runs, set the environment variables (AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID, and AWS_REGION) to the secret access key and access key id of the appropriate AWS user.

Known Issues

In Console version 4.3.x, the SQS queue should be defined with the key alert_sqs_queue_name