Wirespeed uses the AssumeRole API to integrate into your AWS accounts.
This method uses AWS CloudFormation StackSets to deploy the required integration permissions across all AWS organizations underneath your root account. It will also automatically deploy Wirespeed in any new AWS accounts you deploy.
We recommend you test deployment with a subset of accounts first to minimize errors. Copy our CloudFormation Quick Link, login to your desired AWS console account, and navigate to the copied link to deploy to a single account.

In Wirespeed

  1. Navigate to Automation > Integrations > Add Integration > AWS > Organization-wide
  2. Copy the API key for use in Step 2 below

In AWS

Ensure all accounts you want to integrate with have Guard Duty enabled. If not, the integrations will be set to failed.
  1. Log in to your root AWS account on the AWS console as an Administrator
  2. Ensure Trusted Access has been enabled for your account
  3. Navigate to CloudFormation > Stack Sets > Create Stack Set
  4. Continue with the steps below

Step 1

  1. Permission Model > Service-Managed Permissions
  2. Prepare Template > Template is ready
  3. Specify Template > Amazon S3 URL > https://s3.us-west-2.amazonaws.com/aws-deploy.wirespeed.co/deploy-template.yaml

Step 2

  1. Use a sensible name and description
  2. Provide the API key you copied from the Getting Started > In Wirespeed step above

Step 3

  1. Acknowledge the disclaimer

Step 4

  1. Leave all defaults selected
  2. Choose a single region to deploy in (IAM roles are global, so you only need to choose one)

Step 5

  1. Click Submit

Step 6

  1. This stack set does not include deployment to your root management account. To deploy to that account, login to the AWS console for your root account, navigate here and follow the instructions.
    Ensure the stack set deploys correctly across all accounts in your organization, address any errors as needed. Reach out to Wirespeed for assistance. Upon successful deployment, the accounts will show up in Wirespeed underneath Automation > Integrations
    This Cloudformation stack will deploy in all new accounts you make in your organization going forward.

Integrating a single account

Cloudformation (Option A)

  1. Log into Wirespeed
  2. Click Integrations on the side bar
  3. Click Add New Integration
  4. Select AWS from the dropdown
  5. Select Single Account (Auto)
  6. Copy the API key
  7. Click here to deploy a CloudFormation stack
  8. Follow all instructions and default options
Upon completion you will see the account added on the Wirespeed Integrations page.

Manual (Option B)

  1. Log in to your AWS console and open the IAM page.
  2. Go to Access Management > Roles.
  3. Click Create Role.
  4. Under Trusted Entity Type, select AWS Account.
  5. Check Require External ID and enter a secure, randomly generated password. a. Be sure to save this information, as you’ll need it later to add the account in Wirespeed. b**. Note: AWS **requires that the External ID match the regular expression ^[\w+=,.@:/-]*$.
  6. Choose Another AWS Account and enter the ID 590183894387.
  7. Select Next to advance to the Add Permissions page.
  8. Open a new tab in IAM and go to the Policies page. Select Create Policy.
  9. In the newly opened browser window, paste the following JSON template:
{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
      "ec2:DescribeRegions",
      "guardduty:EnableOrganizationAdminAccount",
      "guardduty:DeleteMalwareProtectionPlan",
      "guardduty:ListThreatIntelSets",
      "guardduty:GetThreatIntelSet",
      "guardduty:CreateDetector",
      "guardduty:DisassociateMembers",
      "guardduty:DescribeMalwareScans",
      "guardduty:UpdateMemberDetectors",
      "guardduty:GetAdministratorAccount",
      "guardduty:GetDetector",
      "guardduty:AcceptInvitation",
      "guardduty:GetRemainingFreeTrialDays",
      "guardduty:UpdateMalwareScanSettings",
      "guardduty:ListInvitations",
      "guardduty:DisassociateFromAdministratorAccount",
      "guardduty:UpdateMalwareProtectionPlan",
      "guardduty:UnarchiveFindings",
      "guardduty:GetMemberDetectors",
      "guardduty:DeclineInvitations",
      "guardduty:DeleteDetector",
      "guardduty:ListPublishingDestinations",
      "guardduty:GetFilter",
      "guardduty:ListTagsForResource",
      "guardduty:ListMembers",
      "guardduty:ListIPSets",
      "guardduty:ListCoverage",
      "guardduty:CreateSampleFindings",
      "guardduty:GetMasterAccount",
      "guardduty:UpdateFindingsFeedback",
      "guardduty:GetCoverageStatistics",
      "guardduty:ListMalwareProtectionPlans",
      "guardduty:GetMembers",
      "guardduty:GetOrganizationStatistics",
      "guardduty:UpdateFilter",
      "guardduty:SendSecurityTelemetry",
      "guardduty:CreateThreatIntelSet",
      "guardduty:StopMonitoringMembers",
      "guardduty:CreateMalwareProtectionPlan",
      "guardduty:CreateFilter",
      "guardduty:GetMalwareScanSettings",
      "guardduty:DisableOrganizationAdminAccount",
      "guardduty:ListFilters",
      "guardduty:DeleteThreatIntelSet",
      "guardduty:GetInvitationsCount",
      "guardduty:GetFindings",
      "guardduty:DeleteMembers",
      "guardduty:DeleteIPSet",
      "guardduty:DeleteFilter",
      "guardduty:AcceptAdministratorInvitation",
      "guardduty:DeletePublishingDestination",
      "guardduty:ListFindings",
      "guardduty:DisassociateFromMasterAccount",
      "guardduty:DeleteInvitations",
      "guardduty:DescribePublishingDestination",
      "guardduty:GetMalwareProtectionPlan",
      "guardduty:InviteMembers",
      "guardduty:ListDetectors",
      "guardduty:ArchiveFindings",
      "guardduty:UpdateDetector",
      "guardduty:GetIPSet",
      "guardduty:StartMalwareScan",
      "guardduty:UpdateOrganizationConfiguration",
      "guardduty:StartMonitoringMembers",
      "guardduty:GetUsageStatistics",
      "guardduty:CreateMembers",
      "guardduty:ListOrganizationAdminAccounts",
      "guardduty:DescribeOrganizationConfiguration",
      "guardduty:GetFindingsStatistics"
    ],
    "Resource": "*"
   }
 ]
}
  1. Click Next, then enter a name for the policy and select Create Policy.
  2. Go back to the role creation window, refresh the policy list, and check the box for the newly created policy.
  3. Click Next.
  4. Provide a name for the role, then review the Trusted Entities section. The trust policy should resemble the following:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole", 
      "Principal": {
        "AWS": "arn:aws:iam::590183894387:root"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "[RANDOM_PASSWORD]"
        }
      }
    }
  ]
}
  1. Ensure that the newly created policy appears in the permissions section, then select “Create Role”. Note the role ARN.
  2. Log into Wirespeed
  3. Click Integrations on the side bar
  4. Click Add New Integration
  5. Select AWS from the dropdown
  6. Select Single Account (Manual)
  7. Input the Role ARN and External ID
  8. Click Integrate