Enable VM Threat Detection for AWS

This page describes how to set up and use Virtual Machine Threat Detection to scan for malware in the persistent disks of Amazon Elastic Compute Cloud (EC2) VMs.

To enable VM Threat Detection for AWS, you need to create an AWS IAM role on the AWS platform, enable the VM Threat Detection for AWS in Security Command Center, and then deploy a CloudFormation template on AWS.

Before you begin

To enable the VM Threat Detection for use with AWS, you need certain IAM permissions and Security Command Center must be connected to AWS.

Roles and permissions

To complete the setup of VM Threat Detection for AWS, you need to be granted roles with the necessary permissions in both Google Cloud and AWS.

Google Cloud roles

Make sure that you have the following role or roles on the organization: Security Center Admin Editor (roles/securitycenter.adminEditor)

Check for the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.

  3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

  4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

Grant the roles

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the organization.
  3. Click Grant access.

  4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

  5. In the Select a role list, select a role.
  6. To grant additional roles, click Add another role and add each additional role.
  7. Click Save.

AWS roles

In AWS, an AWS administrative user must create the AWS account that you need for enabling scans.

To create a role for VM Threat Detection in AWS, follow these steps:

  1. Using an AWS administrative user account, go to the IAM Roles page in the AWS Management Console.
  2. From the Service or Use Case menu, select lambda.
  3. Add the following permission policies:
    • AmazonSSMManagedInstanceCore
    • AWSLambdaBasicExecutionRole
    • AWSLambdaVPCAccessExecutionRole
  4. Click Add Permission > Create Inline policy to create a new permission policy:
    1. Open the following page and copy the policy: Role policy for Vulnerability Assessment for AWS and VM Threat Detection.
    2. In the JSON Editor, paste the policy.
    3. Specify a name for the policy.
    4. Save the policy.
  5. Open the Trust Relationships tab.

  6. Paste in the following JSON object, adding it to any existing statement array:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1 or replace with a unique statementId",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudformation.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  7. Save the role.

You assign this role later when you install the CloudFormation template on AWS.

Confirm Security Command Center is connected to AWS

VM Threat Detection requires access to the inventory of AWS resources that Cloud Asset Inventory maintains when you create an AWS connector.

If a connection is not already established, you are required to set one up when you enable VM Threat Detection for AWS.

To set up a connection, create an AWS connector.

Enable VM Threat Detection for AWS in Security Command Center

VM Threat Detection for AWS must be enabled on Google Cloud at the organization level.

  1. In the Google Cloud console, go to the Virtual Machine Threat Detection Service Enablement page.

    Go to Service Enablement

  2. Select your organization.

  3. Click the Amazon Web Services tab.

  4. In the Service Enablement section, in the Status field, select Enable.

  5. In the AWS connector section, verify that the status displays AWS Connector added.

    If the status displays No AWS connector added, click Add AWS connector. Complete the steps in Connect to AWS for configuration and resource data collection before you go to the next step.

  6. If you have already enabled the Vulnerability Assessment for AWS service and have deployed the CloudFormation template as part of that feature, then skip this step. Click Download CloudFormation template. A JSON template is downloaded to your workstation. You need to deploy the template in each AWS account that you need to scan.

Deploy the AWS CloudFormation template

Perform these steps at least six hours after creating an AWS connector.

For detailed information about how to deploy a CloudFormation template, see Create a stack from the CloudFormation console in the AWS documentation.

  1. Go to the AWS CloudFormation Template page in the AWS Management Console.
  2. Click Stacks > With new resources (standard).
  3. On the Create stack page, select Choose an existing template and Upload a template file to upload the CloudFormation template.
  4. After the upload is complete, enter a unique stack name. Don't modify any other parameters in the template.
  5. Select Specify stack details. The Configure stack options page opens.
  6. Under Permissions, select the AWS role that you created previously.
  7. If prompted, check the box for acknowledgement.
  8. Click Submit to deploy the template. The stack takes a few minutes to start running.

The status of the deployment is displayed in the AWS console. If the CloudFormation template fails to deploy, see Troubleshooting.

After scans start running, if any threats are detected, the corresponding findings are generated and displayed on the Security Command Center Findings page in the Google Cloud console. For more information, see Review findings in the Google Cloud console.

Troubleshooting

If you enabled the VM Threat Detection service, but scans are not running, check the following:

  • Check that the AWS connector is properly set up.
  • Confirm that the CloudFormation template stack deployed completely. Its status in the AWS account should be CREATION_COMPLETE.

What's next