Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 permissions to Wazuh via service account #625

Open
anjanaradhakrishnan opened this issue Mar 15, 2024 · 2 comments
Open

S3 permissions to Wazuh via service account #625

anjanaradhakrishnan opened this issue Mar 15, 2024 · 2 comments

Comments

@anjanaradhakrishnan
Copy link

We need to achieve the Wazuh Integration with S3 using Kubernetes Service account.
I'm trying to annotate a k8s service account with an IAM role. For that I have created a role with trust relationship(Which Authenticates the AWS services with Cluster Pods) and necessary permissions and created a service account with the created role ARN.

apiVersion: v1
kind: ServiceAccount
metadata:
    name: wazuh-service-account
    namespace: wazuh
    annotations:
        eks.amazonaws.com/role-arn: "arn:aws-us-gov:iam::xxx:role/wazuh-ph-sa-role"

In the deployment file of wazuh-Manager added the service account.

spec:
  serviceAccountName: wazuh-service-account

This is working and I'm able to access the s3 bucket from the Wazuh Manager pod while doing aws s3 ls.
But Not sure why the wazuh is not able access the bucket, We are getting the below error in integration.log file
2024/03/11 10:26:14 wazuh-modulesd:aws-s3: WARNING: Bucket: - An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
This is the integration added in the ossec.conf

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>1m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="cloudtrail">
    <name>cloudtrail</name>
  </bucket>
  <bucket type="guardduty">
    <name>guardduty</name>
  </bucket>  
</wodle>
@infosith
Copy link

infosith commented Apr 17, 2024
edited

This is just a guess as I am trying to get aws monitoring setup as well but I think that you need to let your wodle config know of the role

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>1m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="cloudtrail">
    <name>cloudtrail</name>
  </bucket>
  <bucket type="guardduty">
    <name>guardduty</name>
    <iam_role_arn>"arn:aws-us-gov:iam::xxx:role/wazuh-ph-sa-role"</iam_role_arn>
  </bucket>  
</wodle>

Again I'm just guessing as I am going through the motions of implementing the same type of integration and I am researching the best way to go about when I saw this issue here. Please share if it solves the issue. -

@infosith
Copy link

infosith commented Apr 18, 2024
edited

Also .... I came across this for EKS that I think its probably the best way of doing it
https://docs.aws.amazon.com/eks/latest/userguide/pod-id-how-it-works.html

Its an addon that seems to simplify things here

hmmm not sure why it does not work i get this on the logs

Apr 18, 2024 @ 11:37:15.000 wazuh-modulesd:aws-s3 WARNING Bucket: 1111111111(mybucket) - Unsupported host '169.254.170.23'. Can only retrieve metadata from these hosts: 169.254.170.2, localhost, 127.0.0.1

I wonder if wazuh aws integration supports the right aws sdk version or if it trully requires the actual .aws/credential with the token info on the root diretory of the container

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anjanaradhakrishnan @infosith