You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/aws-disruption.md
+7-13Lines changed: 7 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,11 +10,11 @@ ms.topic: how-to
10
10
11
11
# Enable attack disruption actions on AWS with Microsoft Sentinel (preview)
12
12
13
-
This article describes how to configure your AWS environment so that Microsoft Sentinel can take automated actions on a user that assumes a SAML role, or on an AWS IAM account when an alert is triggered. Attack disruption uses high-confidence signals to contain compromised assets and limit the impact of attacks, including actions on identities in AWS.
13
+
This article describes how to configure your AWS environment so that Microsoft Sentinel can take automated actions on a user that assumes a SAML role, or on an AWS IAM account when an alert is triggered. Attack disruption uses high-confidence signals to contain compromised assets and limit the damage from attacks, including actions on identities in AWS.
14
14
15
15
## Prerequisites
16
16
17
-
Before you begin, ensure the following:
17
+
Before you begin, you need the following prerequisites in place:
18
18
19
19
- You have an active AWS account with administrative privileges.
20
20
- Your Microsoft Sentinel analytic workspace is connected to the unified security operations portal.
@@ -27,13 +27,11 @@ Before you begin, ensure the following:
27
27
28
28
### 1.1 Create a dedicated IAM role for Microsoft Sentinel
29
29
30
-
1.In the AWS console, go to **IAM \> Roles**.
30
+
1.[Create a new IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html) in the AWS Management Console.
31
31
32
-
1. Select **Create role**.
32
+
- Select **AWS service** as the trusted entity and choose **EC2** (you'll update the trust relationship [next](#12-configure-trust-relationship)).
33
33
34
-
1. Select **AWS service** as the trusted entity and choose **EC2** (you'll update the trust relationship later).
35
-
36
-
1. Attach the following policy to the role (replace \<YOUR_ACCOUNT_ID\> as needed):
34
+
- Attach the following policy to the role (replace \<YOUR_ACCOUNT_ID\> as needed):
37
35
38
36
```json
39
37
{
@@ -60,15 +58,11 @@ Before you begin, ensure the following:
60
58
}
61
59
```
62
60
63
-
1. Name the role (for example, SentinelAttackDisruptionRole) and create it.
64
-
65
61
### 1.2 Configure trust relationship
66
62
67
-
1. In the IAM role you created, go to the **Trust relationships** tab.
68
-
69
-
1. Select **Edit trust relationship**.
63
+
Create a [custom trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html#roles-creatingrole-custom-trust-policy-console) for the IAM role.
70
64
71
-
1. Replace the trust policy with the following, specifying the Microsoft Sentinel integration principal (replace `<YOUR_AZURE_SUBSCRIPTION_ID>` with your actual Azure subscription ID):
65
+
Use the following trust policy, specifying the Microsoft Sentinel integration principal (replace `<YOUR_AZURE_SUBSCRIPTION_ID>` with your actual Azure subscription ID):
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments