This document explains how to create a new S3 bucket to store the CloudTrail logs and how to create an IAM user to retrieve the log feeds from AWS.
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
The value is taken from the configurationItem.relationships.resourceType field. The key is set to "configurationItem.relationships.resource_types".
configurationItem.resourceId
target.resource.id
The value is taken from the configurationItem.resourceId field.
configurationItem.resourceType
target.resource.resource_subtype
The value is taken from the configurationItem.resourceType field.
N/A
metadata.event_type
If configurationItemDiff.changeType is "UPDATE", metadata.event_type is set to "RESOURCE_WRITTEN". If configurationItemDiff.changeType is "CREATE", metadata.event_type is set to "RESOURCE_CREATION". If configurationItem.configurationItemStatus is "OK" or "ResourceDiscovered", metadata.event_type is set to "RESOURCE_READ". If configurationItem.configurationItemStatus is "ResourceDeleted", metadata.event_type is set to "RESOURCE_DELETION". If none of these conditions are met, metadata.event_type is set to "GENERIC_EVENT".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide explains how to collect AWS Config logs for analysis within Google SecOps, including the creation of an S3 bucket and an IAM user to facilitate log retrieval.\u003c/p\u003e\n"],["\u003cp\u003eAWS Config provides a detailed overview of the configuration, relationships, and historical changes of AWS resources within a user's AWS account.\u003c/p\u003e\n"],["\u003cp\u003eThe configuration involves creating a CloudTrail trail and an S3 bucket to store the logs, and setting up AWS Config to log API calls and applying optional compliance rules.\u003c/p\u003e\n"],["\u003cp\u003eAn IAM user with read access to the S3 bucket must be set up, or full access if Google SecOps will be clearing the buckets, to allow Google SecOps to retrieve logs.\u003c/p\u003e\n"],["\u003cp\u003eThe process concludes with creating and configuring a feed in Google SecOps to ingest AWS Config logs from the designated S3 bucket using the provided IAM user credentials.\u003c/p\u003e\n"]]],[],null,["# Collect AWS Config logs\n=======================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to create a new S3 bucket to store the CloudTrail logs and how to create an IAM user to retrieve the log feeds from AWS.\nAWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to AWS\n\nConfigure CloudTrail and AWS S3 bucket\n--------------------------------------\n\n1. Sign in to the AWS Management Console.\n2. Go to the [Amazon S3 console](https://console.aws.amazon.com/s3/).\n3. In the AWS console, search for **Cloudtrail**.\n4. Click **Create trail**.\n5. Provide a **Trail name**.\n6. Select **Create new S3 bucket** (you may also choose to use an existing S3 bucket).\n7. Provide a name for the **AWS KMS** alias, or choose an existing AWS KMS Key.\n\n | **Note:** Leave the other settings as default.\n8. Click **Next**.\n\n9. Choose **Event type** and add **Data events**.\n\n10. Click **Next**.\n\n11. Review the settings and click **Create trail**.\n\n12. In the AWS console, search for **S3 Buckets**.\n\n13. Click the newly created log bucket, and select the **AWSLogs** folder.\n\n14. Click **Copy S3 URI** and save it.\n\nConfigure AWS Config API Calls Logging\n--------------------------------------\n\n1. In AWS, go to **AWS Config \\\u003e Set up AWS Config**.\n2. Select the bucket type (either select the existing bucket details or create a new one).\n3. Select all required AWS-managed rules and click **Next** to select a bucket.\n4. Refer to [AWS Config](https://docs.aws.amazon.com/pdfs/config/latest/developerguide/config-dg.pdf) for details on rule types to help you select the appropriate rule based on your requirements:\n - **Compliance rules**: allow to evaluate the configurations of resources to ensure that they meet compliance standards or regulatory requirements.\n - **Configuration rules**: allow to evaluate the configurations of resources to ensure that they meet the required configuration standards.\n - **Performance rules**: allow to evaluate the configurations of resources to ensure that they are optimized for performance.\n - **Security rules**: allow to evaluate the configurations of resources to ensure that they meet security standards or requirements.\n5. Click **Create config**.\n6. Go to [Amazon S3](https://console.aws.amazon.com/s3/).\n7. Click the newly created log bucket, and select the folder **AWSLogs**.\n8. Click **Copy S3 URI** and save it.\n\nConfigure AWS IAM User\n----------------------\n\n1. In the AWS console, search for **IAM**.\n2. Click **Users**.\n3. Click **Add Users**.\n4. Provide a name for the user (for example, chronicle-feed-user).\n5. Select **Access key - Programmatic access** as the AWS credential type.\n6. Click **Next: Permissions**.\n7. Select **Attach existing policies directly**.\n8. Select **AmazonS3ReadOnlyAccess** or **AmazonS3FullAccess**.\n\n| **Note:** Use **AmazonS3FullAccess** if Google SecOps needs to clear the S3 buckets after reading logs to optimize AWS S3 storage costs.\n\n1. Click **Next: Tags**.\n2. Optional: Add any tags if required.\n3. Click **Next: Review**.\n4. Review the configuration and click **Create user**.\n5. Copy the Access key ID and Secret access key of the created user.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the AWS Config feed\n---------------------------------\n\n1. Click the **Amazon Cloud Platform** pack.\n2. Locate the **AWS Config** log type.\n3. Specify the values in the following fields.\n\n - **Source Type**: Amazon SQS V2\n - **Queue Name**: The SQS queue name to read from\n - **S3 URI** : The bucket URI.\n - `s3://your-log-bucket-name/`\n - Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Include files modified in the last number of days. Default is 180 days.\n\n - **SQS Queue Access Key ID**: An account access key that is a 20-character alphanumeric string.\n\n - **SQS Queue Secret Access Key**: An account access key that is a 40-character alphanumeric string.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping\n-----------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
