This article covers how to create an S3 bucket to store CloudTrail logs and steps to configure Amazon Macie. You can also learn how to configure feed in Chronicle to ingest AWS logs.
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
Creating an Amazon S3 bucket to store CloudTrail logs
Create a new S3 bucket for the CloudTrail logs to be stored in. A pre-existing S3 bucket may also be used.
Follow the below steps to configure the S3 bucket:
- After you sign up for AWS, you're ready to create a bucket in Amazon S3 using the AWS Management Console. Every object in Amazon S3 is stored in a bucket. Before you can store data in Amazon S3, you must create a bucket.
- Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
- In the AWS console, search for "Cloudtrail".
- Click Create trail.
- Provide a Trail name.
- Select Create new S3 bucket. You may also choose to use an existing S3 bucket.
- Provide a name for AWS KMS alias, or choose an existing AWS KMS Key.
- You can leave the other settings as default, and click Next.
- Choose Event type, add Data events as required, and click Next.
- Review the settings in Review and create and click Create trail.
- In the AWS console, search for "Amazon S3 Buckets".
- Click the newly created log bucket, and select the folder AWSLogs. Then click Copy S3 URI and save it for use in the next steps.
Logging AWS Config API Calls with AWS CloudTrail & AWS Macie Configuration
Follow the AWS Config logging instructions to set up AWS Config logging to the S3 bucket created for AWS CloudTrail.
CloudTrail captures all API calls for AWS Config as events. The calls captured include calls from the AWS Config console and code calls to the AWS Config API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for AWS Config. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the information collected by CloudTrail, you can determine the request that was made to AWS Config, the IP address from which the request was made, who made the request, when it was made, and additional details.
Configuring AWS Macie
- Login to AWS and search for "Macie".
2. Click on create job.
3. Create a new bucket or proceed with existing one.
4. Next add schedule jon as shown in below screenshot.
5. Next select managed data identifiers as shown in below screenshot.
6. Ignore this step and click on Next.
7. Ignore this step and click on Next.
8. Give the job name and click on Next.
9. Review all the above steps and click Submit.
10. In the AWS console, search for "Amazon S3 Buckets".
11. Click the newly created log bucket, and select the folder AWSLogs. Then click Copy S3 URI and save it for use in the following steps.
Configuring AWS IAM User
Use this procedure to configure an AWS IAM user which Chronicle will use to get log feeds from AWS.
- In the AWS console, search for "IAM".
2. Click Users, and then in the following screen, click Add Users.
3. Provide a name for the user, e.g. chronicle-feed-user
4. Select AWS credential type as Access key - Programmatic access and click Next: Permissions
5. In the next step, select Attach existing policies directly and select AmazonS3ReadOnlyAccess or AmazonS3FullAccess, as required. AmazonS3FullAccess would be used if Chronicle should clear the S3 buckets after reading logs, to optimize AWS S3 storage costs. Click Next:Tags.
6. As a recommended alternative to the previous step, you can further restrict access to only the specified S3 bucket by creating a custom policy. Click Create policy and follow the AWS documentation to create a custom policy.
7. Add any tags if required, and click Next: Review.
8. Review the configuration and click Create user.
9. Copy the Access key ID and Secret access key of the created user, for use in the next step.
Configure Feed in Chronicle to Ingest AWS Logs
- Go to Chronicle Settings, and click Feeds.
- Click Add New.
- Select Amazon S3 for Source Type.
- Select AWS Macie (or other AWS service) for Log Type.
5. Click Next.
6. Select region and provide S3 URI of the Amazon S3 bucket you copied earlier. Further you could append the S3 URI with: {{datetime("yyyy/MM/dd")}}
7. Under URI IS A select Directories including subdirectories. Select an appropriate option under Source Deletion, this should match with the permissions of the IAM User account we created earlier.
8. Provide Access Key ID and Secret Access Key of the IAM User account we created earlier.
9. Below are the steps which involves feed addition to chronicle instance by NetEnrich
-
- Region
- S3 URI
- ACCESS KEY ID
- SECRET ACCESS KEY
10. Click Next and Finish.
Comments
0 comments
Please sign in to leave a comment.