Event Forwarder S3 Bucket Configuration

Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.

Configure an AWS S3 Bucket for the EDR Event Forwarder

This document describes how to configure an S3 bucket for the EDR or Hosted EDR Event Forwarder and provides an example bucket policy.

What is S3 and how is it used with the Event Forwarder?

Amazon Simple Storage Service is an object storage solution that allows customers to store any amount of data in highly available and easy-to-use buckets. The EDR Event Forwarder will send data to your configured bucket for easy consumption.

Create an S3 Bucket

  1. Sign into the AWS Management Console.
  2. In the top right corner of the page, you will see a region. Ensure that the selected region is the same region that the Event Forwarder is in. Use the dropdown to select the correct region. The table below gives the applicable AWS Region for each Carbon Black EDR URL.
Carbon Black EDR URL AWS Region Name AWS Region
“instance-alias”.my.carbonblack.io US East (N. Virginia) us-east-1
“instance-alias”.my.cbcloud.de Europe (Frankfurt) eu-central-1
“instance-alias”.my.cbcloud.sg Asia Pacific (Singapore) ap-southeast-1
  1. Under Services, navigate to the S3 console.
  2. Choose Create bucket. The Create bucket wizard will open.
  3. In Bucket name, enter a unique name for your bucket. This can be anything.
  4. Region should default to the region you selected in step 2. Ensure that the region selected is the same region that the Event Forwarder is in by referring to the table in step 2.
  5. The Bucket settings for Block Public Access defaults to block all public access. This default should be sufficient; public access is not required for the S3 bucket to work with the Event Forwarder.
  6. Select Create Bucket. Configure S3 Bucket to allow the Event Forwarder to write events.

Configuring the Bucket Policy

  1. Once the bucket is created and the page is loaded with a success message, select Go to bucket details from the message.
  2. Navigate to Permissions and select Bucket Policy. The bucket policy gives the Event Forwarder permissions to write to your bucket.
  3. Next to the text that reads Bucket policy editor, you will see the ARN for your bucket. Copy this value for use in the policy.
  4. At the bottom of the page, select Policy generator. The policy editor will open in a new window.
  • In Step 1: Select Policy Type, select S3 Bucket Policy.

  • In Step 2: Add Statement(s) under Effect, select Allow.

  • In Step 2: Add Statement(s) under Principal, enter the ARN for the role you want the Event Forwarder to assume.

  • In Step 2: Add Statement(s), AWS Service should be Amazon S3.

  • In Step 2: Add Statement(s), for Actions select the following:

    • ListAllMyBuckets
    • GetObject
    • ListBucket
    • PutObject
    • Deleteobject
  1. In Step 2: Add Statement(s) in Amazon Resource Name (ARN), paste your S3 bucket’s ARN copied in step 11.
  • If you wish to allow the Event Forwarder to write to any object within this bucket, append "/*" to the ARN. Example: arn:aws:s3:::example-bucket/*
  • If instead you wish to only allow the Event Forwarder to write to a specific path within the bucket, append the directory path followed by "/*" to the ARN.Example: to only allow the Event Forwarder to write to the /carbonblack/events subdirectory within the bucket, use arn:aws:s3:::example-bucket/carbonblack/events/*
  • The "/*" is required at the end of the ARN regardless of directory structure to allow the Event Forwarder to create time-based subdirectories to store events.
  • The path must match the S3 prefix configured in the Event Forwarder.
  1. Select Add Statement.
  2. Select Generate Policy in Step 3: Generate Policy. A pop-up will open with your Policy JSON Document. Copy the contents.
  3. Returning to Permissions > Bucket Policy within the S3 console for your bucket, paste the Policy JSON Document in the editor and select Save.
  4. Next select “Management” tab
  5. Go to lifecycle and add lifecycle rule
  • Select Apply to all objects in the bucket
  • Select next twice to go to the “Expiration” page
  • Select Current Version so it’s checked. Expire the current version after desired days (7 is default) from object creation.
  • Select next to review and save.

Example Bucket Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
"arn:aws:s3:::carbon-black-customer-bucket-name/myprefix/* "
            ],
            "Effect": "Allow"
        }
    ]
}

Enabling Events in the EDR Console

  1. From the EDR product, navigate to the event forwarder tab
  2. Enable the desired events you would like the product to upload to s3
  3. Scroll down to Output and Type and set to s3
  4. Put in the s3 bucket name, for example:
  • Required - Format: [<region>:]<bucket-name> or
  • Us-east-1:example-bucket
  1. Select upload AWS credentials file in ini format. Below is an example of a profile:
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-east-1
  1. Select Save and restart the service for the changes to take effect.
Last modified on July 22, 2020