Using AWShim for automated AWS logging configurations

Overview

You can use AWShim to automate the AWS configurations for logging within individual AWS accounts, simplifying the steps and reducing the time to start sending logs to Blumira. When used, this tool creates the requisite streams, policies, users, permissions, and resources to collect logs from Cloudwatch, Cloudtrail, GuardDuty, and VPC flow logs.

If you are using multiple AWS accounts with customized security profiles, review Getting started with AWS security monitoring and ensure you have the necessary rights within your individual accounts to create these logging configurations.

AWShim creates the following resources that will be used for the integration:

• Kinesis Stream
• Cloudwatch Log Groups
• Cloudwatch Rules
• Cloudtrail Trail
• S3 Bucket (for Trail)
• IAM user and several roles:
  • Event Service role
  • Cloudwatch role for shipping logs to stream
  • Cloudtrail to cloudwatch role
  • VPC to Cloudwatch role

The created resources have a unique (epoch-based) identifier to ensure you can easily find the resources after they are created.

Before you begin

You will need an account in AWS that has access to the AWS CLI interface in the Management Console. Your account must also be able to create IAM roles, users, and policies. In addition to those permissions, you must be able to create resources within AWS.

Using AWShim

To use AWShim and collect the credentials needed for the Blumira sensor module, complete the following steps:

1. Sign in to the Management Console in AWS.
2. In the top navigation menu, click  to open AWS CLI.
3. After the CLI starts up, a window appears that indicates that the CloudShell is ready to run commands.
4. In the AWS CloudShell window, run the following commands:
   

   git clone https://github.com/Blumira/AWShim.git
   cd ./AWShim
   chmod +x ./AWShim.sh
   ./AWShim.sh -c
   

5. Respond to the on-screen prompts according to your organization’s AWS environment. The prompts include the following:
   • Please enter your Region (for example us-east-1 or us-west-2)
   • Do you want to ship GuardDuty logs? (y/n)
   • Do you want to ship VPC Flow logs? (y/n)
6. After the script is done running, the output includes the credentials you will use in the Blumira Cloud Connector. Copy the Access Key ID and Secret Key.
   
7. If your environment includes GuardDuty, you must enable the service within AWS to enable the logging settings for the service.
   Reference: For more information and steps to enable this, see Integrating with AWS GuardDuty.
8. Modify the event types to include Data Events and Insight Events to ensure that Blumira has full logging visibility. You can do this by editing the trail after the script run is complete. For more information and steps, see Integrating with AWS Cloud Trail.
   

Configuring the Blumira Cloud Connector

Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration's configuration parameters, you can then enable Blumira to collect your logs.

To configure the Blumira Cloud Connector:

1. In the Blumira app, navigate to Settings > Cloud Connectors.
2. Click + Add Cloud Connector.
3. In the Available Cloud Connectors window, click the connector that you want to add.
4. If you want to change the name of the connector, type the new name in the Cloud Connector Name box.
5. Enter the credentials that you collected in the previous steps.
6. Click Connect.
7. On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).

Important: If you previously deployed a sensor module for this integration, then you must remove it via the Sensors page (Settings > Sensors) to avoid log duplication.