Collect AWS Config logs

Supported in:

This document explains how to create a new S3 bucket to store the CloudTrail logs and how to create an IAM user to retrieve the log feeds from AWS. AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

Before you begin

Ensure you have the following prerequisites:

  • Google SecOps instance
  • Privileged access to AWS

Configure CloudTrail and AWS S3 bucket

  1. Sign in to the AWS Management Console.
  2. Go to the Amazon S3 console.
  3. In the AWS console, search for Cloudtrail.
  4. Click Create trail.
  5. Provide a Trail name.
  6. Select Create new S3 bucket (you may also choose to use an existing S3 bucket).

  7. Provide a name for the AWS KMS alias, or choose an existing AWS KMS Key.

  8. Click Next.

  9. Choose Event type and add Data events.

  10. Click Next.

  11. Review the settings and click Create trail.

  12. In the AWS console, search for S3 Buckets.

  13. Click the newly created log bucket, and select the AWSLogs folder.

  14. Click Copy S3 URI and save it.

Configure AWS Config API Calls Logging

  1. In AWS, go to AWS Config > Set up AWS Config.
  2. Select the bucket type (either select the existing bucket details or create a new one).
  3. Select all required AWS-managed rules and click Next to select a bucket.
  4. Refer to AWS Config for details on rule types to help you select the appropriate rule based on your requirements:
    • Compliance rules: allow to evaluate the configurations of resources to ensure that they meet compliance standards or regulatory requirements.
    • Configuration rules: allow to evaluate the configurations of resources to ensure that they meet the required configuration standards.
    • Performance rules: allow to evaluate the configurations of resources to ensure that they are optimized for performance.
    • Security rules: allow to evaluate the configurations of resources to ensure that they meet security standards or requirements.
  5. Click Create config.
  6. Go to Amazon S3.
  7. Click the newly created log bucket, and select the folder AWSLogs.
  8. Click Copy S3 URI and save it.

Configure AWS IAM User

  1. In the AWS console, search for IAM.
  2. Click Users.
  3. Click Add Users.
  4. Provide a name for the user (for example, chronicle-feed-user).
  5. Select Access key - Programmatic access as the AWS credential type.
  6. Click Next: Permissions.
  7. Select Attach existing policies directly.
  8. Select AmazonS3ReadOnlyAccess or AmazonS3FullAccess.
  1. Click Next: Tags.
  2. Optional: Add any tags if required.
  3. Click Next: Review.
  4. Review the configuration and click Create user.
  5. Copy the Access key ID and Secret access key of the created user.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

  • SIEM Settings > Feeds
  • Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds

To configure multiple feeds for different log types within this product family, see Configure feeds by product.

To configure a single feed, follow these steps:

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed (for example, AWS Config Logs).
  5. Select Amazon S3 as the Source type.
  6. Select AWS Config as the Log type.
  7. Click Next.

  8. Specify values for the following input parameters:

    • Region: The region where the Amazon S3 bucket is located.
    • S3 URI: The bucket URI.
      • s3:/BUCKET_NAME
        • Replace BUCKET_NAME with the actual name of your S3 bucket.
    • URI is a: Select the URI_TYPE according to the log stream configuration (Single file | Directory | Directory which includes subdirectories).
    • Source deletion options: Select the deletion option according to your ingestion preferences.

    • Access Key ID: The user's access key with permissions to read from the S3 bucket.

    • Secret Access Key: The user's secret key with permissions to read from the S3 bucket.

    • Asset namespace: The asset namespace.

    • Ingestion labels: The label to be applied to the events from this feed.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

Set up feeds from the Content Hub

Specify values for the following fields:

  • Region: The region where the Amazon S3 bucket is located.
  • S3 URI: The bucket URI.
    • s3:/BUCKET_NAME
      • Replace BUCKET_NAME with the actual name of your S3 bucket.
  • URI is a: Select the URI_TYPE according to the log stream configuration (Single file | Directory | Directory which includes subdirectories).
  • Source deletion options: Select the deletion option according to your ingestion preferences.

  • Access Key ID: The user's access key with permissions to read from the S3 bucket.

  • Secret Access Key: The user's secret key with permissions to read from the S3 bucket.

Advanced Options

  • Feed Name: A prepopulated value that identifies the feed.
  • Source Type: Method used to collect logs into Google SecOps.
  • Asset Namespace: Namespace associated with the feed.
  • Ingestion Labels: Labels applied to all events from this feed.

UDM Mapping

Log field UDM mapping Logic
ARN target.resource.id The value is taken from the ARN field.
awsAccountId principal.user.userid The value is taken from the awsAccountId field.
awsRegion target.asset.location.country_or_region The value is taken from the awsRegion field.
configurationItem.awsAccountId principal.user.userid The value is taken from the configurationItem.awsAccountId field.
configurationItem.configurationItemCaptureTime target.asset.attribute.creation_time The value is taken from the configurationItem.configurationItemCaptureTime field and converted to a timestamp.
configurationItem.configurationItemStatus target.asset.attribute.labels.value The value is taken from the configurationItem.configurationItemStatus field. The key is set to "Configuration Item Status".
configurationItem.relationships.name additional.fields.value.list_value.values.string_value The value is taken from the configurationItem.relationships.name field. The key is set to "configurationItem.relationships.resource_names".
configurationItem.relationships.resourceId additional.fields.value.list_value.values.string_value The value is taken from the configurationItem.relationships.resourceId field. The key is set to "configurationItem.relationships.resource_ids".
configurationItem.relationships.resourceType additional.fields.value.list_value.values.string_value The value is taken from the configurationItem.relationships.resourceType field. The key is set to "configurationItem.relationships.resource_types".
configurationItem.resourceId target.resource.id The value is taken from the configurationItem.resourceId field.
configurationItem.resourceType target.resource.resource_subtype The value is taken from the configurationItem.resourceType field.
N/A metadata.event_type If configurationItemDiff.changeType is "UPDATE", metadata.event_type is set to "RESOURCE_WRITTEN". If configurationItemDiff.changeType is "CREATE", metadata.event_type is set to "RESOURCE_CREATION". If configurationItem.configurationItemStatus is "OK" or "ResourceDiscovered", metadata.event_type is set to "RESOURCE_READ". If configurationItem.configurationItemStatus is "ResourceDeleted", metadata.event_type is set to "RESOURCE_DELETION". If none of these conditions are met, metadata.event_type is set to "GENERIC_EVENT".
N/A metadata.log_type Set to "AWS_CONFIG".
N/A metadata.product_name Set to "AWS Config".
N/A metadata.vendor_name Set to "AMAZON".
N/A target.asset.attribute.cloud.environment Set to "AMAZON_WEB_SERVICES".
N/A target.resource.resource_type Set to "VIRTUAL_MACHINE".

Need more help? Get answers from Community members and Google SecOps professionals.