Skip to content

Amazon AWS

DEFEND can collect and analyse several types of AWS Logs. For most AWS services, these are collected from an S3 bucket within your AWS account, using IAM credentials. By default, the SOC will delete logs delivered to S3 once they have been collected.

Configuration Steps

The high-level steps for enabling the SOC to ingest the logs are:

  1. Create an S3 bucket in which to store logs
  2. Enable logging to S3 in the desired services.
  3. Set the S3 bucket prefix to the name of the S3 service as shown below.
  4. Create an IAM user called “foxtech-soc” or similar, with permissions to read and delete files from the S3 bucket.
  5. Provide Support with:
    1. AWS Access Key ID
    2. AWS Secret Access Key
    3. S3 Bucket Name
    4. Services being logged (from below)

AWS Services using Logging to S3

Service & S3 Bucket prefix to use How to enable logging to S3
cloudtrail https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html
vpcflow https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-create-flow-lo
config https://docs.aws.amazon.com/config/latest/developerguide/manage-config.html
alb https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html
clb https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html
nlb https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
server_access https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html

Cloudwatch Logs

CloudWatch Logs does not integrate pass logs to an S3 bucket, but instead they DEFEND will fetch the selected log groups you specify directly through the AWS APIs.

For DEFEND to process these:

  1. Create an IAM account through which to fetch the logs
  2. Grant the IAM account permissions to read the chosen CloudWatch log groups
  3. Provide Support with the list of log groups to be fetched. By default, we’ll fetch that log group from all regions.

Generally, we recommend enabling at a minimum CloudTrail and S3 Server Access Logs and VPC flow logs.