Draft for review

yelevin · yelevin · commit 3127726a81a1 · 2024-01-31T21:18:04.000+02:00
diff --git a/articles/sentinel/connect-aws.md b/articles/sentinel/connect-aws.md
@@ -2,9 +2,9 @@
 title: Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data
 description: Use the AWS connector to delegate Microsoft Sentinel access to AWS resource logs, creating a trust relationship between Amazon Web Services and Microsoft Sentinel.
 author: yelevin
-ms.topic: how-to
-ms.date: 12/12/2022
 ms.author: yelevin
+ms.topic: how-to
+ms.date: 01/31/2024
 ---
 
 # Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data
@@ -52,7 +52,9 @@ This graphic and the following text show how the parts of this connector solutio
 
 - The connector reads the message with the path, then fetches the files from the S3 bucket.
 
-- To connect to the SQS queue and the S3 bucket, Microsoft Sentinel uses AWS credentials and connection information embedded in the AWS S3 connector's configuration. The AWS credentials are configured with a role and a permissions policy giving them access to those resources. Similarly, the Microsoft Sentinel workspace ID is embedded in the AWS configuration, so there is in effect two-way authentication. For Fairfax, we utilize Entra ID for authenticating with AWS through AWS Single Sign-On, establishing an Identity Provider with OpenID Connect and an assumed role.
+- To connect to the SQS queue and the S3 bucket, Microsoft Sentinel uses AWS credentials and connection information embedded in the AWS S3 connector's configuration. The AWS credentials are configured with a role and a permissions policy giving them access to those resources. Similarly, the Microsoft Sentinel workspace ID is embedded in the AWS configuration, so there is in effect two-way authentication.
+
+  For customers in **Azure Government clouds**, Microsoft Sentinel uses a federated web identity provider (Microsoft Entra ID) for authenticating with AWS through OpenID Connect (OIDC), and assuming an AWS IAM role.
 
 ## Connect the S3 connector
 
@@ -70,7 +72,7 @@ This graphic and the following text show how the parts of this connector solutio
 
 - **In Microsoft Sentinel:**
 
-    - Enable and configure the **AWS S3 Connector** in the Microsoft Sentinel portal. See the instructions below.
+    - Enable and configure the **AWS S3 Connector** in the Microsoft Sentinel portal. [See the instructions below]().
 
 ## Automatic setup
 
@@ -173,19 +175,23 @@ The following instructions apply for public **Azure Commercial clouds** only. Fo
 
 1. In a different browser window or tab, open the AWS console.
 
-1. Follow these instructions in the AWS documentation:<br>[Creating a role to delegate permissions to an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html).
+1. Create an **IAM assumed role**. Follow these instructions in the AWS documentation:<br>[Creating a role to delegate permissions to an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html).
+
    | Parameter | Selection/Value | Comments |
    | - | - | - |
-   | **Account type** | *Another AWS account* | Instead of default *This account*.|
-   | **Account ID** | `197857026523` | Microsoft Sentinel's service account ID for AWS, identifying you as a Microsoft Sentinel user. |
+   | **Trusted entity type** | *AWS account* | Instead of default *AWS service*. |
+   | **Which account** | *Another AWS account*,<br>Account ID `197857026523` | Instead of the default *This account*,<br>Microsoft Sentinel's application service account.|
    | **Options** | *Require external ID* | *Do not* select *Require MFA* |
-   | **External ID** | Your Microsoft Sentinel *Workspace ID*,<br>pasted from your clipboard. | This identifies *your specific Microsoft Sentinel account* to AWS.
+   | **External ID** | Your Microsoft Sentinel *Workspace ID*,<br>pasted from your clipboard. | This identifies *your specific Microsoft Sentinel account* to AWS. |
+   | **Permissions to assign** | <ul><li>`AmazonSQSReadOnlyAccess`<li>`AWSLambdaSQSQueueExecutionRole`<li>`AmazonS3ReadOnlyAccess`<li>`ROSAKMSProviderPolicy`<li>Additional policies for ingesting the different types of AWS service logs. | For information on these policies, see the [AWS S3 connector permissions policies page](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/AwsRequiredPolicies.md) in the Microsoft Sentinel GitHub repository. |
+
+1. Continue with [Add the AWS role and queue information to the S3 data connector](#add-the-aws-role-and-queue-information-to-the-s3-data-connector) below.
 
 #### For Azure Government: Use identity federation
 
 1. In a different browser window or tab, open the AWS console.
 
-1. Follow these instructions in the AWS documentation:<br>[Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html).
+1. Create a **web identity provider**. Follow these instructions in the AWS documentation:<br>[Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html).
 
    | Parameter | Selection/Value | Comments |
    | - | - | - |
@@ -195,22 +201,42 @@ The following instructions apply for public **Azure Commercial clouds** only. Fo
    | **Thumbprint** | `626d44e704d1ceabe3bf0d53397464ac8080142c` | If created in the IAM console, selecting **Get thumbprint** should give you this result. |
    | **Audience** | `api://d4230588-5f84-4281-a9c7-2c15194b28f7` |  |
    
-   - *Create an assume role* 
-      - *Go to AWS IAM Click on Roles. Click on Create role* 
-      - *Select “Web Identity” as trusted entity* 
-      - *From the Identity Provider drop down, select the identity provider created in previous stage.* 
-      - *Select audience `api://1462b192-27f7-4cb9-8523-0f4ecb54b47e`
-
-   - Assign the necessary permissions policies. These policies include:
-      - `AmazonSQSReadOnlyAccess`
-      - `AWSLambdaSQSQueueExecutionRole`
-      - `AmazonS3ReadOnlyAccess`
-      - `ROSAKMSProviderPolicy`
-      - Additional policies for ingesting the different types of AWS service logs.
-      -   For information on these policies, see the [AWS S3 connector permissions policies page](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/AwsRequiredPolicies.md) in the Microsoft Sentinel GitHub repository.
-
-         - Name the role with a meaningful name that includes a reference to Microsoft Sentinel. Example: "*MicrosoftSentinelRole*".
-         - For FairFax, edit Trust policy and add another condition: "sts:RoleSessionName":"MicrosoftDefenderForClouds_<CustomerTenantID_OR_WorkSpaceID(Sentinel)>"
+1. Create an **IAM assumed role**. Follow these instructions in the AWS documentation:<br>[Creating a role for web identity or OpenID Connect Federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create).
+
+   | Parameter | Selection/Value | Comments |
+   | - | - | - |
+   | **Trusted entity type** | *Web identity* | Instead of default *AWS service*. |
+   | **Identity provider** | `sts.windows.net/cab8a31a-1906-4287-a0d8-4eef66b95f6e/` | The provider you created in the previous step. |
+   | **Audience** | `api://d4230588-5f84-4281-a9c7-2c15194b28f7` | The audience you defined for the identity provider in the previous step. |
+   | **Permissions to assign** | <ul><li>`AmazonSQSReadOnlyAccess`<li>`AWSLambdaSQSQueueExecutionRole`<li>`AmazonS3ReadOnlyAccess`<li>`ROSAKMSProviderPolicy`<li>Additional policies for ingesting the different types of AWS service logs. | For information on these policies, see the [AWS S3 connector permissions policies page](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/AwsRequiredPolicies.md) in the Microsoft Sentinel GitHub repository. |
+   | **Name** | Example: "*MicrosoftSentinelRole*". | Choose a meaningful name that includes a reference to Microsoft Sentinel. |
+
+
+1. Edit the new role's trust policy and add another condition: `"sts:RoleSessionName": "MicrosoftSentinel_{WORKSPACE_ID)"`
+
+   The trust policy should look like this:
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "Federated": "arn:aws:iam::123456789000:oidc-provider/sts.windows.net/cab8a31a-1906-4287-a0d8-4eef66b95f6e/"
+         },
+         "Action": "sts:AssumeRoleWithWebIdentity",
+         "Condition": {
+           "StringEquals": {
+             "sts.windows.net/cab8a31a-1906-4287-a0d8-4eef66b95f6e/:aud": "api://d4230588-5f84-4281-a9c7-2c15194b28f7",
+             "sts:RoleSessionName": "MicrosoftSentinel_12341234-abab-cdcd-efef-567890567890"
+           }
+         }
+       }
+     ]
+   }
+   ```
+   Update the policy when you're done editing.
 
 ### Add the AWS role and queue information to the S3 data connector
 
