fbpx
Back Arrow Back to All Integrations

AWS: CloudWatch

AWS: CloudWatch

Integrating with AWS CloudWatch

Click here for the most updated version of this documentation.

 

Before configuring AWS CloudWatch, we recommend reviewing Blumira’s AWS: Getting Started Guide.
 

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.

 

Free Trial

CloudWatch Configuration

  1. Open CloudWatch from the AWS console and select Events > Rules in the left hand navigation
  2. Create a new rule for the GuardDuty service for all events as a source. Click Create rule. For a destination, click Add target, Select Kinesis Stream, the stream we created. Prefix the rolename so that it’s easily identifiable (typically by adding “Blumira”). Then click Configure details to name the rule
  3. After configuration, you should have a rule configured which looks like the following:
  4. Next, configure a log group for VPC flow logs by going to CloudWatch Logs > Log Groups and selecting Create log group. Set the Retention setting to a 1 day period, then click Create
  5. Create an IAM role to allow the CloudWatch log service to put logs in the AWS Kinesis Data Stream using the AWS CLI. Note that this configuration requires that you have the AWS CLI tools installed and configured as an account administrator.
  6. Define the trust policy by adjusting the region to your appropriate region TrustPolicyForCWLToKinesis.json

    • {
      "Statement": {
      "Effect": "Allow",
      "Principal": { "Service": "logs.us-west-2.amazonaws.com" },
      "Action": "sts:AssumeRole"
      }
      }
  7. Create the IAM role by entering the following command into the AWS CLI:
    • $ aws iam create-role --role-name BlumiraCWLtoKinesisDataStreamRole --assume-role-policy-document file://TrustPolicyForCWLToKinesis.json
  8. Create the IAM policy named PermissionPolicyForCWLToDataStream.json; replacing the account number with the appropriate account number for your AWS account. You will replace 123455312345 below, for example, with your account ID.
    • {
      "Statement":[
      {
      "Effect":"Allow",
      "Action":["kinesis:*"],
      "Resource":["*"]
      },
      {
      "Effect":"Allow",
      "Action":["iam:PassRole"],
      "Resource":["arn:aws:iam::123455312345:role/BlumiraCWLtoKinesisDataStreamRole"]
      }
      ]
      }
  9. Attach the IAM policy to the newly created role using the following example command into the AWS CLI:
    • $ aws iam put-role-policy \
      --role-name BlumiraCWLtoKinesisDataStreamRole \
      --policy-name PermissionPolicyForCWLToDataStream \
      --policy-document file://PermissionPolicyForCWLToDataStream.json
  10. Create a subscription filter to send VPC log flow data from the log group to the Kinesis data stream by selecting the log group, as pictured below:
  11. Select Current account and the Kinesis data stream we created in the previous step for a destination.
  12. Select the permission role, by log stream. Under Configure log format and filters, set log format to Amazon VPC Flow Logs and click Start streaming
  13. Select the log group created for CloudTrail, edit Retention setting, then set it to expire after 1 day
  14. With the CloudTrail log group, select Create Kinesis subscription filter from the Action >Subscription filters sub menu.
  15. Select Current account and the Kinesis data stream we created in the previous step for a destination
  16. Select the role we created to allow CloudWatch to put files logs into our data stream. Choose AWS CloudTrail for the log format, and enter a subscription file name descriptive enough to identify the purpose of the subscription filter

 

Now that you’ve configured AWS: CloudWatch for Blumira, continue to the next step in configuring AWS for Blumira – configure AWS: VPC Flow Logs >