# Get started with AWS AppFabric for security
<a name="getting-started-security"></a>

To get started with AWS AppFabric for security, you must first create an app bundle and then authorize and connect applications to your app bundle. After app authorizations are connected to applications, you can use AppFabric for security features such as audit log ingestions and user access.

This section explains how to start using AppFabric in the AWS Management Console.

**Topics**
+ [Prerequisites](#getting-started-prerequisites)
+ [Step 1: Create app bundle](#getting-started-1-create-app-bundle)
+ [Step 2: Authorize applications](#getting-started-2-authorize-application)
+ [Step 3: Set up audit log ingestions](#getting-started-3-set-up-ingestion)
+ [Step 4: Use the user access tool](#getting-started-4-user-access-tool)
+ [Step 5: Connect AppFabric for security data in security tools and other destinations](#getting-started-5-connect-appfabric-to-security-tools)

## Prerequisites
<a name="getting-started-prerequisites"></a>

Before you get started, you must first create an AWS account and an administrative user. For more information, see [Sign up for an AWS account](prerequisites.md#sign-up-for-aws) and [Create a user with administrative access](prerequisites.md#create-an-admin).

## Step 1: Create app bundle
<a name="getting-started-1-create-app-bundle"></a>

An app bundle stores all of your AppFabric for security app authorizations and ingestions. To create an app bundle, set up an encryption key to securely protect your authorized application data.

1. Open the AppFabric console at [https://console.aws.amazon.com/appfabric/](https://console.aws.amazon.com/appfabric/).

1. In the **Select a Region** selector in the upper-right corner of the page, select an AWS Region. AppFabric is available in the US East (N. Virginia), Europe (Ireland), and Asia Pacific (Tokyo) Regions only.

1. Choose **Getting started**.

1. On the **Getting started** page, for **Step 1. Create app bundle**, choose **Create app bundle**.

1. In the **Encryption** section, set up an encryption key to securely protect your data from all authorized applications. This key is used to encrypt your data within the AppFabric for security service.

   AppFabric for security encrypts data by default. AppFabric can use an AWS owned key created and managed by AppFabric on your behalf or a customer managed key that you create and manage in AWS Key Management Service (AWS KMS).

1. For **AWS KMS Key**, choose either **Use AWS owned key** or **Customer managed key**.

   If you choose to use a customer managed key, enter either the Amazon Resource Name (ARN) or the key ID of the existing key that you want to use, or choose **Create an AWS KMS key**.

   Consider the following when choosing an AWS owned key or a customer managed key:
   + **AWS owned keys** are a collection of AWS Key Management Service (AWS KMS) keys that an AWS service owns and manages for use in multiple AWS accounts. Although AWS owned keys are not in your AWS account, an AWS service can use an AWS owned key to protect the resources in your account. AWS owned keys don't count against the AWS KMS quotas for your account. You don't need to create or maintain the key or its key policy. The rotation of AWS owned keys varies across services. For information about the rotation of an AWS owned key for AppFabric, see [Encryption at rest](data-protection.md#encryption-rest).
   + Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these AWS KMS keys. You can establish and maintain their key policies, AWS Identity and Access Management (IAM) policies, and grants. You can enable and disable them, rotate their cryptographic material, add tags, create aliases that refer to the AWS KMS keys, and schedule the AWS KMS keys for deletion. Customer managed keys appear on the **Customer managed keys page** of the AWS Management Console for AWS KMS.

     To definitively identify a customer managed key, use the `DescribeKey` operation. For customer managed keys, the value of the `KeyManager` field of the `DescribeKey` response is `CUSTOMER`. You can use your customer managed key in cryptographic operations and audit usage in AWS CloudTrail logs. With many AWS services that integrate with AWS KMS, you can specify a customer managed key to protect the data stored and managed for you. Customer managed keys incur a monthly fee and a fee for use in excess of the AWS Free Tier. Customer managed keys count against the AWS KMS quotas for your account.

   For more information about AWS owned keys and customer managed keys, see [Customer keys and AWS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt) in the *AWS Key Management Service Developer Guide*.
**Note**  
When an app bundle is created, AppFabric for security also creates a special IAM role in your AWS account called a service-linked role (SLR) for AppFabric. It allows the service to send metrics to Amazon CloudWatch. After you add an audit log destination, the SLR allows the AppFabric for security service access to your AWS resources (Amazon S3 buckets, Amazon Data Firehose delivery streams). For more information, see [Using service-linked roles for AppFabric](using-service-linked-roles.md).

1. (Optional) For **Tags**, you have the option to add tags to your app bundle. Tags are key-value pairs that assign metadata to resources that you create. For more information, see [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the *AWS Tag Editor User Guide*.

1. To create your app bundle, choose **Create app bundle**.

## Step 2: Authorize applications
<a name="getting-started-2-authorize-application"></a>

After your app bundle is created successfully, you can now authorize AppFabric for security to connect and interact with each of your applications. Authorized applications are encrypted and stored in your app bundle. To set up multiple app authorizations per app bundle, repeat the app authorization step as needed for each application.

Before you begin the steps to authorize applications, review and verify prerequisites for each application, such as the plan type needed, in [Supported applications in AppFabric for security](supported-applications.md).

1. On the **Getting started** page, for **Step 2. Authorize applications**, choose **Create app authorization**.

1. In the **App authorization** section, select the application that you want to grant permission for AppFabric for security to connect to from the **Application** dropdown. The applications shown are those that are currently supported by AppFabric for security.

1. When you select an application, required fields of information appear. These fields include tenant ID and tenant name and might also include client ID, client secret, or personal access token. The input values for these fields varies by application. For detailed application-specific instructions on how to find these values, see [Supported applications in AppFabric for security](supported-applications.md).

1. (Optional) For **Tags**, you have the option to add tags to your app authorization. Tags are key-value pairs that assign metadata to resources that you create. For more information, see [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the *AWS Tag Editor User Guide*.

1. Choose **Create app authorization**.

1. If a pop-up window appears (dependent upon the application that is being connected), select **Allow** to authorize AppFabric for security to connect with your application.

   If your app authorization was successful, you will see a success message of **App authorization connected** on the **Getting Started** page.

1. You can check the status of your app authorization at any time on the **App authorizations** page listed in the navigation pane, under status for each application. A **Connected** status means that your app authorization has been granted for AppFabric for security to connect to the application and is complete.

1. Possible app authorization statuses are shown in the following table, including troubleshooting steps that you can take to fix related errors.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/appfabric/latest/adminguide/getting-started-security.html)

1. To authorize additional applications, repeat steps 1 through 8 as needed.

## Step 3: Set up audit log ingestions
<a name="getting-started-3-set-up-ingestion"></a>

After you have at least one app authorization created in your app bundle, you can now set up an audit log ingestion. An audit log ingestion consumes audit logs from an authorized application and normalizes them into the Open Cybersecurity Schema Framework (OCSF). It then delivers them to one or more destinations within AWS. You can also choose to deliver raw JSON files to your destinations.

1. On the **Getting started** page, for the **Step 3. Set up audit log ingestions** section, select **Ingestions quick setup**.
**Note**  
For faster setup, use the **Ingestions quick setup** page, accessible from the **Getting started** page only, to create ingestions for multiple app authorizations at a time, with the same ingestion destination. For example, the same Amazon S3 bucket or Amazon Data Firehose data stream.  
You can also create ingestions from the **Ingestions** page, accessible from the navigation pane. On the **Ingestions** page, you can set up one ingestion at a time to distinct destinations. On the **Ingestions** page, you can also create a tag for an ingestion. The following instructions are for the **Ingestions quick setup** page.

1. For **Select app authorizations**, select the app authorizations that you want to create an audit log ingestions for. The tenant names that appear in the **App authorizations** dropdown are the tenant names of applications that you have previously created an app authorization for with AppFabric for security.

1. For **Add destination**, select a destination for the audit log ingestions of the applications that you selected. Destination options include **Amazon S3 - Existing Bucket**, **Amazon S3 - New Bucket**, or **Amazon Data Firehose**. If you select multiple tenant names, the destination you choose is applied to each ingestion of an app authorization.

1. When you choose a destination, additional required fields appear.

   1. If you choose **Amazon S3 — New bucket** as your destination, you must enter the name of the S3 bucket that you want to create. For more instructions on how to create an Amazon S3 bucket, see [Create an output destination](prerequisites.md#create-output-location).

   1. If you choose **Amazon S3 — Existing bucket** as your destination, select the name of the Amazon S3 bucket that you want to use.

   1. If you choose **Amazon Data Firehose** as your destination, select the name of the delivery stream from the Firehose delivery stream name dropdown list. For more instructions on how to create an Amazon Data Firehose delivery stream, see [Create an output destination](prerequisites.md#create-output-location), and note the permissions policy required for AppFabric for security.

1. For **Schema & Format**, you can choose to store your audit logs in **Raw - JSON**, **OCSF - JSON**, **OCSF - Parquet for Amazon S3 buckets**, or **Raw - JSON or OCSF-JSON for Firehose**.

   The Raw data format provides your audit log data converted to JSON from a string of data. The OCSF data format normalizes your audit log data to the AppFabric for security Open Cybersecurity Schema Framework (OCSF) schema. For more information about how AppFabric uses OCSF, see [Open Cybersecurity Schema Framework for AWS AppFabric](ocsf-schema.md). You can select only one schema and format data type at a time for an ingestion. If you want to add an additional schema and format data type, you can set up an additional ingestion destination by repeating the ingestion creation process.

1. (Optional) If you want to add a tag to an ingestion, go to the **Ingestions** page from the navigation pane. To go to the ingestion details page, select the tenant name. For **Tags**, you have the option to add tags to your ingestion. Tags are key-value pairs that assign metadata to resources that you create. For more information, see [Tagging your AWS resources](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html) in the *AWS Tag Editor User Guide*.

1. Choose **Set up ingestions**.

   When you successfully set up an ingestion, you will see a success message of **Ingestion created** on the **Getting Started** page.

1. You can also check the state of your ingestions and status of your ingestion destinations at any time on the **Ingestions** page from the navigation pane. On this page, you can see the tenant name created upon creating app authorization, destination, and state of your ingestions. A state of **Enabled** for your ingestion means that your ingestion is enabled. If you choose the tenant name of an app authorization on this page, you can see a detail page for that app authorization, including destination details and status. A status of **Active** for your ingestion destination means that the destination is set up properly and active. If the app authorization has the **Connected** status and the ingestion destination status is **Active**, then the audit log should be processed and delivered. If the app authorization status or the ingestion destination status are any of the failed states, the audit log will not be processed or delivered even if the ingestion status is enabled. To fix an app authorization failure, see [Step 2. Authorize applications](#getting-started-2-authorize-application).

1. Possible ingestion and ingestion destination statuses are shown in the following table, with troubleshooting steps that you can take to fix any error status.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/appfabric/latest/adminguide/getting-started-security.html)

## Step 4: Use the user access tool
<a name="getting-started-4-user-access-tool"></a>

Using the AppFabric for security user access tool, security and IT Admin teams can quickly see who has access to specific applications by running a simple search using the employee’s corporate email address. This approach can be helpful in reducing time spent on tasks like user deprovisioning that might require manually checking or auditing a user’s access across SaaS applications. If a user is found, AppFabric for security provides the user’s name in the application and their in-app user status (for example, Active) if provided by the application. AppFabric for security searches all authorized applications in an app bundle to return a list of applications that the user has access to.

1. On the **Getting Started** page, for **Step 4. Use the user access tool**, choose **Look up user**.

1. In the **Email address** field, type a user’s email address, and choose **Search**.

1. In the **Search results** section, you see a list of all authorized applications that the user has access to. To show the user’s name in the application and their status (if available), select a search result.

1. A message of **User found** in the search results column means that the user can access the app listed. The following table shows the possible search results, errors, and the actions that you can take to address the errors.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/appfabric/latest/adminguide/getting-started-security.html)

## Step 5: Connect AppFabric for security data in security tools and other destinations
<a name="getting-started-5-connect-appfabric-to-security-tools"></a>

Normalized (or raw) application data from AppFabric is compatible with any tool that supports data ingestion from Amazon S3 and integration with Firehose, including security tools like Barracuda XDR, Dynatrace, Logz.io, Netskope, NetWitness, Rapid7, and Splunk, or your proprietary security solution. To get normalized (or raw) application data from AppFabric, follow the previous steps 1 through 3. For more details on how to set up specific security tools and services, see [Compatible security tools and services](security-tools.md).