Collect AWS VPN logs

Supported in:

This document explains how to ingest AWS VPN logs to Google Security Operations. AWS VPN provides a secure connection between your on-premises network and your Amazon Virtual Private Cloud (VPC). By forwarding VPN logs to Google SecOps, you can analyze VPN connection activities, detect potential security risks, and monitor traffic patterns.

Before you begin

Ensure you have the following prerequisites:

  • Google SecOps instance
  • Privileged access to AWS

Configure AWS IAM and S3

  1. Create an Amazon S3 bucket following this user guide: Creating a bucket.
  2. Save the bucket Name and Region for later use.
  3. Create a user following this user guide: Creating an IAM user.
  4. Select the created User.
  5. Select the Security credentials tab.
  6. Click Create Access Key in the Access Keys section.
  7. Select Third-party service as the Use case.
  8. Click Next.
  9. Optional: add a description tag.
  10. Click Create access key.
  11. Click Download CSV file to save the Access Key and Secret Access Key for later use.
  12. Click Done.
  13. Select the Permissions tab.
  14. Click Add permissions in the Permissions policies section.
  15. Select Add permissions.
  16. Select Attach policies directly.
  17. Search for and select the AmazonS3FullAccess policy.
  18. Click Next.
  19. Click Add permissions.

How to configure CloudTrail for AWS VPN Logging

  1. Sign in to the AWS Management Console.
  2. In the search bar, type and select CloudTrail from the services list.
  3. Click Create trail.
  4. Provide a Trail name; for example, VPN-Activity-Trail.
  5. Select the Enable for all accounts in my organization checkbox.
  6. Type the S3 bucket URI created earlier (the format should be: s3://your-log-bucket-name/), or create a new S3 bucket.
  7. If SSE-KMS is enabled, provide a name for AWS KMS alias, or choose an existing AWS KMS Key.
  8. You can leave the other settings as default.
  9. Click Next.
  10. Select Management events to All and Data events to Networking and VPN services under Event Types.
  11. Click Next.
  12. Review the settings in Review and create.
  13. Click Create trail.

  14. Optional: If you created a new bucket during the CloudTrail configuration, continue with the following process:

    1. Go to S3.
    2. Identify and select the newly created log bucket.
    3. Select the AWSLogs folder.
    4. Click Copy S3 URI and save it.

How to configure AWS Client VPN logging

  1. Go to the AWS Client VPN console.
  2. Under Client VPN Endpoints, select the required endpoint.
  3. In the Logging section, click enable logging and specify an Amazon CloudWatch Log group to which VPN connection logs will be sent.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

  • SIEM Settings > Feeds > Add New
  • Content Hub > Content Packs > Get Started

How to set up the AWS VPN feed

  1. Click the Amazon Cloud Platform pack.
  2. Locate the AWS VPN log type.
  3. Specify the values in the following fields.

    • Source Type: Amazon SQS V2
    • Queue Name: The SQS queue name to read from
    • S3 URI: The bucket URI.
      • s3://your-log-bucket-name/
        • Replace your-log-bucket-name with the actual name of your S3 bucket.
    • Source deletion options: Select the deletion option according to your ingestion preferences.

    • Maximum File Age: Include files modified in the last number of days. Default is 180 days.

    • SQS Queue Access Key ID: An account access key that is a 20-character alphanumeric string.

    • SQS Queue Secret Access Key: An account access key that is a 40-character alphanumeric string.

    Advanced options

    • Feed Name: A prepopulated value that identifies the feed.
    • Asset Namespace: Namespace associated with the feed.
    • Ingestion Labels: Labels applied to all events from this feed.
  4. Click Create feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.

UDM Mapping Table

Need more help? Get answers from Community members and Google SecOps professionals.