Connect to AWS for log data collection

bookmark_border Stay organized with collections Save and categorize content based on your preferences.

The Security Command Center curated detections, threat investigation, and Cloud Infrastructure Entitlement Management (CIEM) capabilities for Amazon Web Services (AWS) require the ingestion of AWS logs using the Security Operations console ingestion pipeline. The AWS log types required for ingestion differ based on what you are configuring:

• CIEM requires data from the AWS CloudTrail log type.
• Curated detections require data from multiple AWS log types.

To learn more about the different AWS log types, see Supported devices and log types.

Curated detections

For curated detections, each AWS rule set requires certain data to function as designed, including one or more of the following:

• AWS CloudTrail logs
• AWS GuardDuty
• AWS context data about hosts, services, VPC, and users

To use these curated detections, you must ingest AWS data to Google Security Operations, and then enable the curated detection rules. For information about how to configure the ingestion of the AWS data, see Ingest AWS logs into Google Security Operations in the Google SecOps documentation. For information about how to enable curated detection rules, see Use curated detections to identify threats in the Google SecOps documentation.

Configure AWS log ingestion for CIEM

To generate findings for your AWS environment, the Cloud Infrastructure Entitlement Management (CIEM) capabilities require data from AWS CloudTrail logs.

To use CIEM, do the following when configuring AWS log ingestion.

1. When setting up your AWS CloudTrail, complete the following configuration steps:

   1. Create one of the following:

      • An organization-level trail that pulls log data from across all AWS accounts.

      • An account-level trail that pulls log data from select AWS accounts.

   2. Set the Amazon S3 bucket or Amazon SQS queue you choose for CIEM to log management events from all regions.

2. When setting up a feed to ingest AWS logs in the Security Operations console, complete the following configuration steps:

   1. Create a feed that ingests all account logs from the Amazon S3 bucket or Amazon SQS queue for all regions.

   2. Set the feed Ingestion labels key-value pair based on the feed source type, using one of the following options:

      • If the Source type is Amazon S3, configure one of the following:

        • To extract data every 15 minutes, set the Label to CIEM and the Value to TRUE. You can reuse this feed for other Security Command Center services where a 15-minute data latency is acceptable.
        • To extract data every 12 hours, set the Label to CIEM_EXCLUSIVE and the Value to TRUE. This option works for CIEM and other potential Security Command Center services where a 24-hour data latency is acceptable.

      • If the Source type is Amazon SQS, set the Label to CIEM and the Value to TRUE.

If you don't configure log ingestion correctly, the CIEM detection service might display incorrect findings. In addition, if there are issues with your CloudTrail configuration, Security Command Center displays the CIEM AWS CloudTrail configuration error.

To configure log ingestion, see Ingest AWS logs into Google Security Operations in the Google SecOps documentation.

For full instructions on enabling CIEM, see Enable the CIEM detection service for AWS. For more information about CIEM features, see Overview of Cloud Infrastructure Entitlement Management.