Aqua Security can be integrated with Amazon Security Lake as a custom source to send audit events, which you can subsequently see in the AWS S3 bucket integrated with Security Lake. The same audit data can be forwarded to SIEM.
Amazon Security Lake is a fully managed security data lake service. You can use Security Lake to automatically centralize security data from AWS and third-party sources into a data lake that's stored in your AWS account. Security Lake helps you analyze security data, so you can get a more complete understanding of your security posture across the entire organization.
Aqua currently supports sending audit events of types: Container Runtime and CVE to Amazon Security Lake.
- Admin credentials for the AWS Security Lake.
- ARN of IAM role for AWS Glue.
- Amazon S3 Bucket is already created to store Aqua Security logs
Integrate with Amazon Security Lake
Step 1: Create Aqua custom sources in AWS Security Lake
- In the Aqua UI, navigate to Administration > Integrations > Log Management.
- Select Amazon Security Lake.
3. Click Disabled button to enable integration
4. Copy the script from the Aqua UI Step 1 and run it in the AWS Cloud Shell command prompt of type Bash shell (for more information, refer to Working with AWS Cloud Shell). This step creates custom sources from Aqua in Amazon Security Lake.
5. In the AWS Cloud Shell command prompt, enter the following details:
- AWS Account ID: Your AWS account ID where Amazon Security Lake is deployed
- ARN of IAM Role: which has permissions to Invoke Glue. For more information on these permissions and creating IAM Role and Policy, refer to Setting up IAM permissions for AWS Glue.
6. Navigate to Amazon Security Lake and select Custom sources. You can see that Aqua’s custom source: aqua-security-finding is created.
Step 2: Allow Aqua to send audit events to Amazon Security Lake
- In the Aqua UI, enter the AWS Region of Amazon Security Lake with which you want to integrate Aqua.
- In the Aqua UI, Click Launch Stack.
The Quick create stack page appears. Values for most of the fields in the page are populated automatically; do not modify these values.
- In the Quick create stack page, enter the following details:
- Glue Invocation Role ARN: To get the Role ARN: In the Amazon console > Identity and Access Management (IAM) > Roles page, select the required role that you have already created with Glue invocation permissions, and get the ARN. For more information, refer to Finding Amazon Resource Names (ARNs).
- Security Lake S3 Bucket: To get the S3 bucket name: In the Amazon console > Amazon S3 > Buckets page, select the required S3 bucket where you want to store Aqua’s audit events and get the S3 bucket name.
- Select the Acknowledgement checkbox.
- Click Create Stack. You can see that a new stack has been created.
6. In the Stack detailed view, click the Outputs tab.
7. Copy the values of Aqua Event Bridge Bus ARN and Aqua Role ARN.
8. In the Aqua UI, enter the values (copied above) in the Role ARN and Event Bridge ARN fields, respectively.
9. Click Test Connection to check that the link to the service is working.
10. Click Save.
This integration will allow Aqua to send audit events to the AWS S3 bucket integrated with Amazon Security Lake.
In the Administration > Integrations > Log Management page > AWS Security Lake widget, you can see that it is Enabled.
Configuring a feed in Chronicle
- Go to Chronicle settings, and click Feeds.
- Click Add New.
3. Select Amazon S3 for Source Type.
4. Select Aqua Security for Log Type.
5. Click Next.
6. Provide the following Details:
- Region: Need to add the region where the bucket has created.
- S3 URI: Need to add the S3 bucket location
- URI IS A: Need to select “Directory which includes subdirectories”
- Source Deletion Option: Need to select “Never Delete Files”
- Access Key ID: Need to add the Access key ID from the S3 bucket.
- Secret Access Key: Need to add the Secret Access Key from the S3 bucket
7. Click Next and Finish.