This guide will help you configure your AWS environment to centralize log flows for continuous monitoring. This document assumes no previous log flow configurations have been made in your environment. If your environment has been configured for centralized monitoring, you can leverage this document as a reference and validation point for partial changes which may be required to ensure you have broad coverage.
For the purposes of monitoring AWS, Blumira’s AWS documentation is laid out to help you gather three primary sources of log information — CloudTrail, VPC Flow Logs, and GuardDuty. We’ve established this reference log pipeline in such a way to allow you to easily expand monitoring and cover other AWS services which you may leverage. The time required to complete the AWS integration should take 45 min – 1 hour.
In order to enable broad Blumira coverage for AWS, you will want to follow these configurations steps:
Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.
CloudTrail provides an event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis. Blumira leverages CloudTrail to detect unusual activity in your AWS accounts at an API level. CloudTrail must be configured per AWS region.
Configuring AWS CloudTrail requires establishing an S3 bucket for temporary log storage, creating an Identity and Access Management (IAM) Role to allow CloudTrail to put logs into a CloudWatch log group, and configuring CloudWatch to both receive the logs and also filter-process- and put the logs into a kinesis data stream.
VPC Flow Logs is an AWS feature that enables clients to capture information about the IP traffic going to and from network interfaces in an Amazon virtual private cloud (VPC). While the format of VPC flow logs is similar to that of a firewall logging flow log, data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency for your production workloads. Flow logs can be enabled without any risk of impact to network performance.
By enabling VPC flow logging, we can detect many different security events, including identifying overly permissive security groups and rules; identifying if threat actors interact with VPC resources (such as EC2 hosts or database services); lateral movement across security boundaries, data exfiltration, and various types of denial of service attacks.
Configuring VPC Flow Logs requires creating an Identity and Access Management (IAM) role to allow the VPC service to put VPC Flow Logs into a CloudWatch log group, and configuring each VPC within an AWS region to generate and send flow logs to a CloudWatch group, CloudWatch must also be configured to create a log group which will receive, filter, and put the log flow information into a kinesis data stream.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.
By integrating Amazon GuardDuty with Blumira, GuardDuty alerts are actionable, and easy to aggregate across multiple accounts. GuardDuty must be configured per AWS region. A list of the types of finding guard duty can detect is available here.
Configuring AWS GuardDuty requires creating an Identity and Access Management (IAM) Role to allow GuardDuty to query various services including EC2, S3, VPC Flow, and Organizations, and the usage of CloudWatch to query the AWS event bus to read GuardDuty events and put those events into a kinesis data stream. You should follow security best practices as provided in the AWS Security Best Practices in IAM Guide.
AWS event filters offer an extensive monitoring capability of almost all other AWS services. For monitoring use cases outside of core AWS services (such as Lambda), event rules can be configured for the following services.
The AWS root user account should NEVER be used for the deployment or the implementation operations of this solution.
|Kinesis||True||Kinesis provides a scalable and durable real-time data streaming integration to ensure log data is always captured and retained by Blumira.|
|CloudWatch||True||CloudWatch provides a centralized event bus to route log and event data from your AWS services into the kinesis data stream.|
|S3||False||CloudTrail requires that an S3 bucket be established to stage log data.|
|CloudTrail||False||CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis.|
|GuardDuty||False||GuardDuty is an AWS threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3|
For additional guidance on estimating the cost of AWS services, please see https://calculator.aws/
Now you’re ready to start the integration setup by configuring AWS Kinesis Data Stream and IAM >