Amazon Web Services (AWS) Log Collection
The Amazon Web Services (AWS) Log Collection feature collects logs from multiple Amazon Web Services. Each service requires its own AWS Identification and Access Management (IAM) user. The IAM user is assigned to a System Monitor for logs to be collected from the service.
Prerequisites
- Internet access for System Monitor
- Access to the AWS log source configuration file (for example, cloudconfig.ini)
Create an AWS IAM User
An AWS IAM user enables you to securely control access to AWS services and resources for your users. This is the user needed to collect logs.
- Sign in to the AWS Management Console, and then open the IAM console at https://console.aws.amazon.com/iam.
- In the navigation pane, click Users, and then click Create New Users.
Type the user names for the users you want to create. You can create up to five users at one time.
User names can only use a combination of alphanumeric characters and the following special characters: plus (+), equal (=), comma (,), period (.), at (@), and hyphen (-). For more information about IAM entity limitations, see Limitation on IAM Entities and Objects on the Amazon website.
- If the users require access to the API, AWS CLI, or Tools for Windows PowerShell, they must have access keys. To generate an access key for a new user, click Generate an access key for each user, and then click Create.
Download the access key IDs and secret keys for the new users from the confirmation page.
This is your only opportunity to view or download the keys, and you must provide this information to your users before they can use the AWS API. If you do not download and save them now, you will need to create new access keys for users at a later date. Save the user's new access key ID and secret access key in a safe and secure place.
To download and save the keys:
Click Show User Security Credentials.
Click Download Credentials, and then save the access key IDs and secret access keys to a .csv file.
- If the user needs to access the AWS Management Console, create a password for the user. For more information, see Creating, Changing, or Deleting an IAM User Password (AWS Management) on the Amazon website.
Make the user a member of a group with policies that provide the appropriate permissions for this user to access AWS resources. It is recommended to use groups rather than attach policies directly to users. For more information, see Attaching Managed Policies.
The following managed policies are recommended, according to each service:- CloudTrail: AWSCloudTrailReadOnlyAccess- CloudWatch: CloudWatchReadOnlyAccess- Config: AWSConfigUserAccess- S3: Refer to Amazon S3 Bucket Policy Examples.
- Provide the user with the sign-in information:
- User name
- Password and/or access keys
- URL to the sign-in page for the owner account. For the URL, use the following example, substituting the correct account ID number (<acct-ID>) or account alias (<acct-alias>): https://<acct-ID>.signin.aws.amazon.com/console or https://<acct-alias>.signin.aws.amazon.com/console
- Save the user or users.
Available Log Formats
This section is divided into five subsections. Each section contains instructions for adding a LogRhythm Log Source to collect different AWS events. Select the section that contains instructions for the type of AWS events you want to collect.
- API - AWS CloudTrail
- API - AWS CloudWatch Alarm
- API - AWS Config Event
- API - AWS S3 CloudTrail (via Flat File)
- API - AWS S3 Server Access Event
If you want to collect AWS events from multiple regions (for example, one or more additional regions that are in use for the purpose of backups or disaster recovery), you will need to modify a separate configuration file (.ini) with a unique name for each region, and then create a separate LogRhythm Log Source that points to each .ini file. Similarly, if you have multiple AWS accounts, you will need a unique .ini file and accompanying Log Source for each account.