Hi there, I've been following instructions here:
https://www.crowdstrike.com/blog/tech-center/crowdstrike-aws-security-hub/
and
https://github.com/CrowdStrike/Cloud-AWS/tree/main/Security-Hub
Cloudformation job seems to have ran okay. I'm able to log into the ec2 instance and confirm I have outbound connectivity, able to reach crowdstrike urls.
But fig.service is failing when I run. Looking at /var/log/messages, I see the following:
Jul 14 19:48:30 ip-10-0-0-157 python3: Failed to connect to the API on us1. Check base_url and ssl_verify configuration settings.
Jul 14 19:48:30 ip-10-0-0-157 systemd: fig.service: main process exited, code=exited, status=1/FAILURE
Jul 14 19:48:30 ip-10-0-0-157 systemd: Unit fig.service entered failed state.
Jul 14 19:48:30 ip-10-0-0-157 systemd: fig.service failed.
The documentation confuses me a bit, because it talks about 6 parameters being needed, but the screenshot of Parameter Store values only shows 5 values (and does not include a base_url parameter. Looking directly at our AWS Parameter Store, I actually see there is no mention of any base_url parameter.
Digging around the code further here:
https://github.com/CrowdStrike/Cloud-AWS/blob/main/Security-Hub/main.py
I see that if base_url isn't specified, it defaults to "us1" - which makes sense considering the error message output.
I'm wondering if someone can explain what went wrong, and if there's supposed to be some step about manually adding a particular URL entry to the parameter store and if so, how that should be formatted (I see two types of entries, for example both FIG_FALCON_CLIENT_ID and Falcon_ClientID parameters - and I want to make sure I know the correct parameter name to use, along with the proper value for the URL... I suspect it is: https://api.laggar.gcw.crowdstrike.com/ but it would be great to have confirmation.