CloudWatch Configuration
- Open CloudWatch from the AWS console and select Events > Rules in the left hand navigation

- Create a new rule for the GuardDuty service for all events as a source. Click Create rule. For a destination, click Add target, Select Kinesis Stream, the stream we created. Prefix the rolename so that it’s easily identifiable (typically by adding “Blumira”). Then click Configure details to name the rule

- After configuration, you should have a rule configured which looks like the following:

- Next, configure a log group for VPC flow logs by going to CloudWatch Logs > Log Groups and selecting Create log group. Set the Retention setting to a 1 day period, then click Create

- Create an IAM role to allow the CloudWatch log service to put logs in the AWS Kinesis Data Stream using the AWS CLI. Note that this configuration requires that you have the AWS CLI tools installed and configured as an account administrator.
- Define the trust policy by adjusting the region to your appropriate region TrustPolicyForCWLToKinesis.json
{
"Statement": {
"Effect": "Allow",
"Principal": { "Service": "logs.us-west-2.amazonaws.com" },
"Action": "sts:AssumeRole"
}
}
- Create the IAM role by entering the following command into the AWS CLI:
$ aws iam create-role --role-name BlumiraCWLtoKinesisDataStreamRole --assume-role-policy-document file://TrustPolicyForCWLToKinesis.json
- Create the IAM policy named PermissionPolicyForCWLToDataStream.json; replacing the account number with the appropriate account number for your AWS account. You will replace 123455312345 below, for example, with your account ID.
{
"Statement":[
{
"Effect":"Allow",
"Action":["kinesis:*"],
"Resource":["*"]
},
{
"Effect":"Allow",
"Action":["iam:PassRole"],
"Resource":["arn:aws:iam::123455312345:role/BlumiraCWLtoKinesisDataStreamRole"]
}
]
}
- Attach the IAM policy to the newly created role using the following example command into the AWS CLI:
$ aws iam put-role-policy \
--role-name BlumiraCWLtoKinesisDataStreamRole \
--policy-name PermissionPolicyForCWLToDataStream \
--policy-document file://PermissionPolicyForCWLToDataStream.json
- Create a subscription filter to send VPC log flow data from the log group to the Kinesis data stream by selecting the log group, as pictured below:

- Select Current account and the Kinesis data stream we created in the previous step for a destination.

- Select the permission role, by log stream. Under Configure log format and filters, set log format to Amazon VPC Flow Logs and click Start streaming


- Select the log group created for CloudTrail, edit Retention setting, then set it to expire after 1 day

- With the CloudTrail log group, select Create Kinesis subscription filter from the Action >Subscription filters sub menu.

- Select Current account and the Kinesis data stream we created in the previous step for a destination

- Select the role we created to allow CloudWatch to put files logs into our data stream. Choose AWS CloudTrail for the log format, and enter a subscription file name descriptive enough to identify the purpose of the subscription filter

Now that you’ve configured AWS: CloudWatch for Blumira, continue to the next step in configuring AWS for Blumira – configure AWS: VPC Flow Logs >