Getting started with AWS AppFabric for security

To get started with AWS AppFabric for security, you must first create an app bundle and then authorize and connect applications to your app bundle. After app authorizations are connected to applications, you can use AppFabric for security features such as audit log ingestions and user access.

This section explains how to start using AppFabric in the AWS Management Console.

Prerequisites

Before you get started, you must first create an AWS account and an administrative user. For more information, see Sign up for an AWS account and Create a user with administrative access.

Step 1: Create app bundle

An app bundle stores all of your AppFabric for security app authorizations and ingestions. To create an app bundle, set up an encryption key to securely protect your authorized application data.

1. Open the AppFabric console at https://console.aws.amazon.com/appfabric/.

2. In the Select a Region selector in the upper-right corner of the page, select an AWS Region. AppFabric is available in the US East (N. Virginia), Europe (Ireland), and Asia Pacific (Tokyo) Regions only.

3. Choose Getting started.

4. On the Getting started page, for Step 1. Create app bundle, choose Create app bundle.

5. In the Encryption section, set up an encryption key to securely protect your data from all authorized applications. This key is used to encrypt your data within the AppFabric for security service.

   AppFabric for security encrypts data by default. AppFabric can use an AWS owned key created and managed by AppFabric on your behalf or a customer managed key that you create and manage in AWS Key Management Service (AWS KMS).

6. For AWS KMS Key, choose either Use AWS owned key or Customer managed key.

   If you choose to use a customer managed key, enter either the Amazon Resource Name (ARN) or the key ID of the existing key that you want to use, or choose Create an AWS KMS key.

   Consider the following when choosing an AWS owned key or a customer managed key:

   • AWS owned keys are a collection of AWS Key Management Service (AWS KMS) keys that an AWS service owns and manages for use in multiple AWS accounts. Although AWS owned keys are not in your AWS account, an AWS service can use an AWS owned key to protect the resources in your account. AWS owned keys don't count against the AWS KMS quotas for your account. You don't need to create or maintain the key or its key policy. The rotation of AWS owned keys varies across services. For information about the rotation of an AWS owned key for AppFabric, see Encryption at rest.

   • Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these AWS KMS keys. You can establish and maintain their key policies, AWS Identity and Access Management (IAM) policies, and grants. You can enable and disable them, rotate their cryptographic material, add tags, create aliases that refer to the AWS KMS keys, and schedule the AWS KMS keys for deletion. Customer managed keys appear on the Customer managed keys page of the AWS Management Console for AWS KMS.

     To definitively identify a customer managed key, use the DescribeKey operation. For customer managed keys, the value of the KeyManager field of the DescribeKey response is CUSTOMER. You can use your customer managed key in cryptographic operations and audit usage in AWS CloudTrail logs. With many AWS services that integrate with AWS KMS, you can specify a customer managed key to protect the data stored and managed for you. Customer managed keys incur a monthly fee and a fee for use in excess of the AWS Free Tier. Customer managed keys count against the AWS KMS quotas for your account.

   For more information about AWS owned keys and customer managed keys, see Customer keys and AWS keys in the AWS Key Management Service Developer Guide.

   Note

   When an app bundle is created, AppFabric for security also creates a special IAM role in your AWS account called a service-linked role (SLR) for AppFabric. It allows the service to send metrics to Amazon CloudWatch. After you add an audit log destination, the SLR allows the AppFabric for security service access to your AWS resources (Amazon S3 buckets, Amazon Data Firehose delivery streams). For more information, see Using service-linked roles for AppFabric.

7. (Optional) For Tags, you have the option to add tags to your app bundle. Tags are key-value pairs that assign metadata to resources that you create. For more information, see Tagging your AWS resources in the AWS Tag Editor User Guide.

8. To create your app bundle, choose Create app bundle.

Step 2: Authorize applications

After your app bundle is created successfully, you can now authorize AppFabric for security to connect and interact with each of your applications. Authorized applications are encrypted and stored in your app bundle. To set up multiple app authorizations per app bundle, repeat the app authorization step as needed for each application.

Before you begin the steps to authorize applications, review and verify prerequisites for each application, such as the plan type needed, in Supported applications.

1. On the Getting started page, for Step 2. Authorize applications, choose Create app authorization.

2. In the App authorization section, select the application that you want to grant permission for AppFabric for security to connect to from the Application dropdown. The applications shown are those that are currently supported by AppFabric for security.

3. When you select an application, required fields of information appear. These fields include tenant ID and tenant name and might also include client ID, client secret, or personal access token. The input values for these fields varies by application. For detailed application-specific instructions on how to find these values, see Supported applications.

4. (Optional) For Tags, you have the option to add tags to your app authorization. Tags are key-value pairs that assign metadata to resources that you create. For more information, see Tagging your AWS resources in the AWS Tag Editor User Guide.

5. Choose Create app authorization.

6. If a pop-up window appears (dependent upon the application that is being connected), select Allow to authorize AppFabric for security to connect with your application.

   If your app authorization was successful, you will see a success message of App authorization connected on the Getting Started page.

7. You can check the status of your app authorization at any time on the App authorizations page listed in the navigation pane, under status for each application. A Connected status means that your app authorization has been granted for AppFabric for security to connect to the application and is complete.

8. Possible app authorization statuses are shown in the following table, including troubleshooting steps that you can take to fix related errors.

   Status name	Status description	Troubleshooting steps
   Pending	A status of Pending means that an app authorization for the application is created, but AppFabric for security isn't yet connected to the application.	When you see this status, select Connect from the Actions dropdown of the App authorization page to initiate a connection. If this error persists, check if your browser's pop-up blocker is disabled. If there is any error message, like 400 Bad Request in the pop-up window, check that all the information, such as tenant ID, client ID, and client secret, is correctly entered. It's also possible that the app authorization of the application isn't created correctly. For more information, see Supported applications.
   Connection validation failed	A status of Connection validation failed means that AppFabric for security can't validate the connection of the app authorization with an application.	Check that all the information, such as tenant ID, client ID and client secret, is entered correctly for the app authorization.
   Token auto-rotation failed	A status of token auto-rotation failed means that the OAuth refresh token has failed after the app authorization was successfully connected.	If this error persists, check the authentication application of the application. For more information, see Supported applications.

9. To authorize additional applications, repeat steps 1 through 8 as needed.

Step 3: Set up audit log ingestions

After you have at least one app authorization created in your app bundle, you can now set up an audit log ingestion. An audit log ingestion consumes audit logs from an authorized application and normalizes them into the Open Cybersecurity Schema Framework (OCSF). It then delivers them to one or more destinations within AWS. You can also choose to deliver raw JSON files to your destinations.

1. On the Getting started page, for the Step 3. Set up audit log ingestions section, select Ingestions quick setup.

   Note

   For faster setup, use the Ingestions quick setup page, accessible from the Getting started page only, to create ingestions for multiple app authorizations at a time, with the same ingestion destination. For example, the same Amazon S3 bucket or Amazon Data Firehose data stream.

   You can also create ingestions from the Ingestions page, accessible from the navigation pane. On the Ingestions page, you can set up one ingestion at a time to distinct destinations. On the Ingestions page, you can also create a tag for an ingestion. The following instructions are for the Ingestions quick setup page.

2. For Select app authorizations, select the app authorizations that you want to create an audit log ingestions for. The tenant names that appear in the App authorizations dropdown are the tenant names of applications that you have previously created an app authorization for with AppFabric for security.

3. For Add destination, select a destination for the audit log ingestions of the applications that you selected. Destination options include Amazon S3 - Existing Bucket, Amazon S3 - New Bucket, or Amazon Data Firehose. If you select multiple tenant names, the destination you choose is applied to each ingestion of an app authorization.

4. When you choose a destination, additional required fields appear.

   1. If you choose Amazon S3 — New bucket as your destination, you must enter the name of the S3 bucket that you want to create. For more instructions on how to create an Amazon S3 bucket, see Create an output destination.

   2. If you choose Amazon S3 — Existing bucket as your destination, select the name of the Amazon S3 bucket that you want to use.

   3. If you choose Amazon Data Firehose as your destination, select the name of the delivery stream from the Firehose delivery stream name dropdown list. For more instructions on how to create an Amazon Data Firehose delivery stream, see Create an output destination, and note the permissions policy required for AppFabric for security.

5. For Schema & Format, you can choose to store your audit logs in Raw - JSON, OCSF - JSON, OCSF - Parquet for Amazon S3 buckets, or Raw - JSON or OCSF-JSON for Firehose.

   The Raw data format provides your audit log data converted to JSON from a string of data. The OCSF data format normalizes your audit log data to the AppFabric for security Open Cybersecurity Schema Framework (OCSF) schema. For more information about how AppFabric uses OCSF, see Open Cybersecurity Schema Framework. You can select only one schema and format data type at a time for an ingestion. If you want to add an additional schema and format data type, you can set up an additional ingestion destination by repeating the ingestion creation process.

6. (Optional) If you want to add a tag to an ingestion, go to the Ingestions page from the navigation pane. To go to the ingestion details page, select the tenant name. For Tags, you have the option to add tags to your ingestion. Tags are key-value pairs that assign metadata to resources that you create. For more information, see Tagging your AWS resources in the AWS Tag Editor User Guide.

7. Choose Set up ingestions.

   When you successfully set up an ingestion, you will see a success message of Ingestion created on the Getting Started page.

8. You can also check the state of your ingestions and status of your ingestion destinations at any time on the Ingestions page from the navigation pane. On this page, you can see the tenant name created upon creating app authorization, destination, and state of your ingestions. A state of Enabled for your ingestion means that your ingestion is enabled. If you choose the tenant name of an app authorization on this page, you can see a detail page for that app authorization, including destination details and status. A status of Active for your ingestion destination means that the destination is set up properly and active. If the app authorization has the Connected status and the ingestion destination status is Active, then the audit log should be processed and delivered. If the app authorization status or the ingestion destination status are any of the failed states, the audit log will not be processed or delivered even if the ingestion status is enabled. To fix an app authorization failure, see Step 2. Authorize applications.

9. Possible ingestion and ingestion destination statuses are shown in the following table, with troubleshooting steps that you can take to fix any error status.

   State or status name	Description	Troubleshooting steps
   Disabled	A Disabled state for the ingestion means that your ingestion is disabled.	You can enable the ingestion by selecting Enable from the Actions dropdown of the Ingestions page.
   Failed	A Failed state for the ingestion destination means that the ingestion destination isn't accepting the audit log. For example, this status might occur because of a full storage location.	To fix these issues, go to the Amazon S3 or Firehose consoles.

Step 4: Use the user access tool

Using the AppFabric for security user access tool, security and IT Admin teams can quickly see who has access to specific applications by running a simple search using the employee’s corporate email address. This approach can be helpful in reducing time spent on tasks like user deprovisioning that might require manually checking or auditing a user’s access across SaaS applications. If a user is found, AppFabric for security provides the user’s name in the application and their in-app user status (for example, Active) if provided by the application. AppFabric for security searches all authorized applications in an app bundle to return a list of applications that the user has access to.

1. On the Getting Started page, for Step 4. Use the user access tool, choose Look up user.

2. In the Email address field, type a user’s email address, and choose Search.

3. In the Search results section, you see a list of all authorized applications that the user has access to. To show the user’s name in the application and their status (if available), select a search result.

4. A message of User found in the search results column means that the user can access the app listed. The following table shows the possible search results, errors, and the actions that you can take to address the errors.

   Search result	Description
   The user not found	No user is found with the email address used.
   An authorization token was not found. Connect the app authorization for the application.	Check that all the information, such as tenant ID, client ID, and client secret, is entered correctly for the app authorization.
   The authorization token was revoked. Connect the app authorization for the application.	Check that all the information, such as tenant ID, client ID, and client secret, is entered correctly for the app authorization.
   We were unable to rotate the authorization token. Connect the app authorization for the application.	The OAuth refresh token has failed after the app authorization was successfully connected. If this error persists, check the authentication application of the application. For more information, see Supported applications.
   The required permissions were not found. Connect the app authorization for the application.	Check that all the information, such as tenant ID, client ID, and client secret, is entered correctly for the app authorization.
   The app authorization is not valid.	Check that all the information, such as tenant ID, client ID, and client secret, is entered correctly for the app authorization.
   We couldn't call the application API due to insufficient permissions.	Check that all the information, such as tenant ID, client ID, and client secret, is entered correctly for the app authorization.
   The application request limit was exceeded.	This is an error message that was received from the application. You can try to search an email address later.
   Application encountered an internal server error	This is an error message that was received from the application. You can try to search an email address later.
   Application encountered a bad gateway error	This is an error message that was received from the application. You can try to search an email address later.
   Application is not ready to handle the request	This is an error message that was received from the application. You can try to search an email address later.
   The application encountered a bad request error.	This is an error message we received from the application. You can try to search an email again later.
   The application encountered a service unavailable error.	This is an error message we received from the application. You can try to search an email again later.

Step 5: Connect AppFabric for security data in security tools and other destinations

Normalized (or raw) application data from AppFabric is compatible with any tool that supports data ingestion from Amazon S3 and integration with Firehose, including security tools like Barracuda XDR, Dynatrace, Logz.io, Netskope, NetWitness, Rapid7, and Splunk, or your proprietary security solution. To get normalized (or raw) application data from AppFabric, follow the previous steps 1 through 3. For more details on how to set up specific security tools and services, see Compatible security tools and services.