This article covers how to create a new S3 bucket to store the CloudTrail logs and how to create IAM user to get log feeds from AWS. You can also learn how to configure feed in Chronicle to ingest AWS logs.
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
Configuration
Create a new S3 bucket for storing the CloudTrail logs. A pre-existing S3 bucket may also be used.
Follow the below steps to configure the S3 bucket.
- After you sign up for AWS, you're ready to create a bucket in Amazon S3 using the AWS Management Console. Every object in Amazon S3 is stored in a bucket. Before you can store data in Amazon S3, you must create a bucket.
- Sign in to the AWS Management Console and open the Amazon S3 console using below link:
https://console.aws.amazon.com/s3/ - In the AWS console, search for "Cloudtrail".
- Click Create trail.
- Provide a Trail name.
- Select Create new S3 bucket. You may also choose to use an existing S3 bucket.
- Provide a name for the AWS KMS alias, or choose an existing AWS KMS Key.
- Leave the other settings as default, and click Next.
- Choose Event type, add Data events as required, and click Next.
- Review the settings in Review and create and click Create trail.
- In the AWS console, search for "Amazon S3 Buckets."
- Click the newly created log bucket, and select the folder AWSLogs. Then click Copy S3 URI and save it for use in the next step.
Logging AWS Config API Calls with AWS CloudTrail
Follow the AWS Config logging instructions to set up AWS Config logging to the S3 bucket created for AWS CloudTrail.
CloudTrail captures all API calls for AWS Config as events. The calls captured include calls from the AWS Config console and code calls to the AWS Config API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for AWS Config. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the information collected by CloudTrail, you can determine the request that was made to AWS Config, the IP address from which the request was made, who made the request, when it was made, and additional details.
Configure AWS Config
- Login to AWS and go to AWS Config -> Set up AWS Config -> Select the bucket type (either select the existing bucket details or create a new one)
Rules
2. Select all the required AWS managed rules and click next to select bucket.
Below is the reference link and type of rules which can help to select particular rule as per the requirement.
https://docs.aws.amazon.com/pdfs/config/latest/developerguide/config-dg.pdf
- Compliance rules: These rules allow you to evaluate the configurations of your resources to ensure that they meet compliance standards or regulatory requirements.
- Configuration rules: These rules allow you to evaluate the configurations of your resources to ensure that they meet your desired configuration standards.
- Performance rules: These rules allow you to evaluate the configurations of your resources to ensure that they are optimized for performance.
- Security rules: These rules allow you to evaluate the configurations of your resources to ensure that they meet security standards or requirements.
3. Review the settings in Review and create and click Create config.
4. In the AWS console, search for "Amazon S3 Buckets."
5. Click the newly created log bucket, and select the folder AWSLogs. Then click Copy S3 URI and save it for use in the following steps.
Configure AWS IAM User
In this step, we will configure an AWS IAM user which Chronicle will use to get log feeds from AWS.
1. In the AWS console, search for IAM.
2. Click Users, and then in the following screen, click Add Users.
3. Provide a name for the user, e.g. chronicle-feed-user, Select AWS credential type as Access key - Programmatic access and click Next: Permissions.
4. In the next step, select Attach existing policies directly and select AmazonS3ReadOnlyAccess or AmazonS3FullAccess, as required. AmazonS3FullAccess would be used if Chronicle should clear the S3 buckets after reading logs, to optimize AWS S3 storage costs. Click Next:Tags.
5. As recommended alternative to the previous step, you can further restrict access to only the specified S3 bucket by creating a custom policy. Click Create policy and follow the AWS documentation to create a custom policy as shown in below screenshot.
6. Add any tags if required, and click Next: Review.
7. Review the configuration and click Create user.
8. Copy the Access key ID and Secret access key of the created user, for use in the next step.
Configure Feed in Chronicle to Ingest AWS Logs
- Go to Chronicle settings, and click Feeds.
- Click Add New.
- Select Amazon S3 in Source Type and AWS Config (or other AWS service) in Log Type.
5. Click Next.
6. Select region and provide S3 URI of the Amazon S3 bucket you copied earlier. Further you could append the S3 URI with: {{datetime("yyyy/MM/dd")}}
7. Under URI IS, a select directories including sub-directories. Select an appropriate option under Source Deletion Option, this should match with the permissions of the IAM User account we created earlier.
8. Provide Access Key ID and Secret Access Key of the IAM User account we created earlier.
Below are the steps that involve feed addition to the Chronicle instance
-
- Region
- S3 URI
- ACCESS KEY ID
- SECRET ACCESS KEY
9. Click Next and Finish.
Sample Logs
The following are the logs that AWS sends to Chronicle.
UED","notBefore":"2023-01-10T00:00:00.000Z","notAfter":"2024-02-08T23:59:59.000Z","keyAlgorithm":"RSA-2048","signatureAlgorithm":"SHA256WITHRSA","inUseBy":[],"type":"AMAZON_ISSUED","keyUsages":[{"name":"DIGITAL_SIGNATURE"},{"name":"KEY_ENCIPHERMENT"}],"extendedKeyUsages":[{"name":"TLS_WEB_SERVER_AUTHENTICATION","oID":"1.3.6.1.5.5.7.3.1"},{"name":"TLS_WEB_CLIENT_AUTHENTICATION","oID":"1.3.6.1.5.5.7.3.2"}],"renewalEligibility":"INELIGIBLE","options":{"certificateTransparencyLoggingPreference":"ENABLED"}},"supplementaryConfiguration":{"Tags":[{"key":"creator","value":"terraform"},{"key":"environment","value":"dev"},{"key":"application","value":"tem"},{"key":"partner","value":"internal"},{"key":"public","value":"false"},{"key":"createdby","value":"euser11@abc.com"},{"key":"poc","value":"euser1_Eng_DevOps@abc.com:"},{"key":"supporting","value":"shared"},{"key":"costcenter","value":"17000"},{"key":"jira","value":"DO-6867"}]},"tags":{"creator":"terraform","environment":"dev","application":"tem","partner":"internal","public":"false","createdby":"euser11@abc.com","poc":"euser1_Eng_DevOps@abc.com:","supporting":"shared","costcenter":"17000","jira":"DO-6867"},"configurationItemVersion":"1.3","configurationItemCaptureTime":"2023-04-26T23:43:40.122Z","configurationStateId":1682552620122,"awsAccountId":"888001132800","configurationItemStatus":"OK","resourceType":"AWS::ACM::Certificate","resourceId":"arn:aws:acm:ap-southeast-1:888001132800:certificate/1b92fa36-356d-4da6-9ae1-628e5ebd4232","ARN":"arn:aws:acm:ap-southeast-1:888001132800:certificate/1b92fa36-356d-4da6-9ae1-628e5ebd4232","awsRegion":"ap-southeast-1","availabilityZone":"Regional","configurationStateMd5Hash":"","resourceCreationTime":"2023-01-10T10:16:14.386Z"},{"relatedEvents":[],"relationships":[],"configuration":{"certificateArn":"arn:aws:acm:ap-southeast-1:888001132800:certificate/f7c5ce76-9d5d-4af0-a090-9b892bfd401b","domainName":"tem.qa.ss.deva.abc.dev","subjectAlternativeNames":
Comments
0 comments
Please sign in to leave a comment.