This guide will help you to configure your AWS environment to centralize log flows for continuous monitoring. This document assumes no previous log flow configurations have been made in your environment. If your environment has been configured for centralized monitoring, you can leverage this document as a reference and validation point for partial changes which may be required to ensure you have broad coverage.
For the purpose of monitoring AWS, Blumira’s AWS documentation is laid out to help you gather three primary sources of log information — CloudTrail, VPC Flow Logs, and GuardDuty. We have established this reference log pipeline so that you can easily expand monitoring and cover your other AWS services.
Recommended: For a faster and easier setup, use Blumira's AWShim script to automate the process of configuring your AWS integration. See Using AWShim for automated AWS logging configurations for instructions.
Alternatively, you can manually perform the configurations needed for your AWS integration with Blumira. The separate manual procedures are outlined and linked below.
Note: The time to complete the manual AWS integration without using AWShim is approximately 45 min – 1 hour.
To enable broad Blumira coverage for AWS, follow these configuration steps:
- Configure AWS Kinesis
- Configure AWS CloudTrail
- Configure AWS CloudWatch
- Configure AWS VPC Flow Logs
- Configure AWS GuardDuty
CloudTrail provides an event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis. Blumira leverages CloudTrail to detect unusual activity in your AWS accounts at an API level. CloudTrail must be configured per AWS region.
Configuring AWS CloudTrail requires establishing an S3 bucket for temporary log storage, creating an Identity and Access Management (IAM) Role to allow CloudTrail to put logs into a CloudWatch log group, and configuring CloudWatch to both receive the logs and also filter, process, and put the logs into a Kinesis data stream.
VPC Flow Logs
VPC Flow Logs is an AWS feature that enables clients to capture information about the IP traffic going to and from network interfaces in an Amazon virtual private cloud (VPC). While the format of VPC flow logs is similar to that of a firewall logging flow log, data is collected outside of the path of your network traffic and therefore does not affect network throughput or latency for your production workloads. Flow logs can be enabled without any risk of impact on network performance.
By enabling VPC flow logging, we can detect many different security events, including identifying overly permissive security groups and rules; identifying if threat actors interact with VPC resources (such as EC2 hosts or database services); lateral movement across security boundaries, data exfiltration, and various types of denial of service attacks.
Configuring VPC Flow Logs requires creating an Identity and Access Management (IAM) role to allow the VPC service to put VPC Flow Logs into a CloudWatch log group, and configuring each VPC within an AWS region to generate and send flow logs to a CloudWatch group, CloudWatch must also be configured to create a log group which will receive, filter, and put the log flow information into a kinesis data stream.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.
By integrating Amazon GuardDuty with Blumira, GuardDuty alerts are actionable, and easy to aggregate across multiple accounts. GuardDuty must be configured per AWS region. A list of the types of findings GuardDuty can detect is available here.
Configuring AWS GuardDuty requires creating an Identity and Access Management (IAM) Role to allow GuardDuty to query various services including EC2, S3, VPC Flow, and Organizations, and the usage of CloudWatch to query the AWS event bus to read GuardDuty events and put those events into a kinesis data stream. You should follow security best practices as provided in the AWS Security Best Practices in IAM Guide.
Other Log Sources
AWS event filters offer an extensive monitoring capability of almost all other AWS services. For monitoring use cases outside of core AWS services (such as Lambda), event rules can be configured for these services.
Warning: The AWS root user account should NEVER be used for the deployment or the implementation operations of this solution.
Billable AWS services used by this integration
|Kinesis||True||Kinesis provides a scalable and durable real-time data streaming integration to ensure log data is always captured and retained by Blumira.|
|CloudWatch||True||CloudWatch provides a centralized event bus to route log and event data from your AWS services into the kinesis data stream.|
|S3||False||CloudTrail requires that an S3 bucket be established to stage log data.|
|CloudTrail||False||CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis.|
|GuardDuty||False||GuardDuty is an AWS threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3|
For additional guidance on estimating the cost of AWS services, please see https://calculator.aws/.