This document explains how to ingest AWS VPN logs to Google Security Operations. AWS VPN provides a secure connection between your on-premises network and your Amazon Virtual Private Cloud (VPC). By forwarding VPN logs to Google SecOps, you can analyze VPN connection activities, detect potential security risks, and monitor traffic patterns.
Before you begin
Ensure you have the following prerequisites:
Google SecOps instance
Privileged access to AWS
Configure AWS IAM and S3
Create an Amazon S3 bucket following this user guide: Creating a bucket.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide explains how to forward and ingest AWS VPN logs into Google Security Operations (SecOps) for analyzing connection activities, detecting security risks, and monitoring traffic.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring AWS IAM and S3 involves creating an S3 bucket, a user with access keys, and granting the user the necessary permissions to access the S3 bucket using the AmazonS3FullAccess policy.\u003c/p\u003e\n"],["\u003cp\u003eSetting up CloudTrail for AWS VPN logging requires creating a trail in AWS to track VPN activity, choosing to log management and data events for networking and VPN services, and then linking the trail to the previously created S3 bucket.\u003c/p\u003e\n"],["\u003cp\u003eTo enable logging for AWS Client VPN, you need to select the desired VPN endpoint and configure it to send VPN connection logs to an Amazon CloudWatch Log group.\u003c/p\u003e\n"],["\u003cp\u003eA new feed in Google SecOps must be configured to ingest the logs, specifying the S3 source, AWS VPN log type, region, bucket URI, access keys, and other relevant parameters for proper data ingestion.\u003c/p\u003e\n"]]],[],null,["# Collect AWS VPN logs\n====================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest AWS VPN logs to Google Security Operations. AWS VPN provides a secure connection between your on-premises network and your Amazon Virtual Private Cloud (VPC). By forwarding VPN logs to Google SecOps, you can analyze VPN connection activities, detect potential security risks, and monitor traffic patterns.\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to AWS\n\nConfigure AWS IAM and S3\n------------------------\n\n1. Create an **Amazon S3 bucket** following this user guide: [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html).\n2. Save the bucket **Name** and **Region** for later use.\n3. Create a user following this user guide: [Creating an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console).\n4. Select the created **User**.\n5. Select the **Security credentials** tab.\n6. Click **Create Access Key** in the **Access Keys** section.\n7. Select **Third-party service** as the **Use case**.\n8. Click **Next**.\n9. Optional: add a description tag.\n10. Click **Create access key**.\n11. Click **Download CSV file** to save the **Access Key** and **Secret Access Key** for later use.\n12. Click **Done**.\n13. Select the **Permissions** tab.\n14. Click **Add permissions** in the **Permissions policies** section.\n15. Select **Add permissions**.\n16. Select **Attach policies directly**.\n17. Search for and select the **AmazonS3FullAccess** policy.\n18. Click **Next**.\n19. Click **Add permissions**.\n\nHow to configure CloudTrail for AWS VPN Logging\n-----------------------------------------------\n\n1. Sign in to the [AWS Management Console](https://aws.amazon.com/console/).\n2. In the search bar, type and select **CloudTrail** from the services list.\n3. Click **Create trail**.\n4. Provide a **Trail name** ; for example, **VPN-Activity-Trail**.\n5. Select the **Enable for all accounts in my organization** checkbox.\n6. Type the S3 bucket URI created earlier (the format should be: `s3://your-log-bucket-name/`), or create a new S3 bucket.\n7. If SSE-KMS is enabled, provide a name for **AWS KMS alias** , or choose an **existing AWS KMS Key**.\n8. You can leave the other settings as default.\n9. Click **Next**.\n10. Select **Management events** to **All** and **Data events** to **Networking and VPN services** under **Event Types**.\n11. Click **Next**.\n12. Review the settings in **Review and create**.\n13. Click **Create trail**.\n\n14. Optional: If you created a new bucket during the CloudTrail configuration, continue with the following process:\n\n 1. Go to **S3**.\n 2. Identify and select the newly created log bucket.\n 3. Select the **AWSLogs** folder.\n 4. Click **Copy S3 URI** and save it.\n\nHow to configure AWS Client VPN logging\n---------------------------------------\n\n1. Go to the **AWS Client VPN** console.\n2. Under **Client VPN Endpoints**, select the required endpoint.\n3. In the **Logging** section, click **enable logging** and specify an **Amazon CloudWatch Log group** to which VPN connection logs will be sent.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the AWS VPN feed\n------------------------------\n\n1. Click the **Amazon Cloud Platform** pack.\n2. Locate the **AWS VPN** log type.\n3. Specify the values in the following fields.\n\n - **Source Type**: Amazon SQS V2\n - **Queue Name**: The SQS queue name to read from\n - **S3 URI** : The bucket URI.\n - `s3://your-log-bucket-name/`\n - Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Include files modified in the last number of days. Default is 180 days.\n\n - **SQS Queue Access Key ID**: An account access key that is a 20-character alphanumeric string.\n\n - **SQS Queue Secret Access Key**: An account access key that is a 40-character alphanumeric string.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
