Before you begin
Before configuring AWS CloudWatch, we recommend reviewing Getting started with AWS security monitoring.
CloudWatch Configuration
To create a new Amazon EventBridge rule with the GuardDuty service as a source for all events:
- In the AWS console, navigate to CloudWatch > Events > Rules.
- In the Amazon EventBridge Rules window, click Create rule.
- In the Name box under Rule detail, type a rule-name that will help you identify the GuardDuty rule.
Example: “Blumira_GuardDuty_Rule”. - Click Next.
- In the Event Source section, select AWS events or EventBridge partner events.
- Skip the “Sample event - optional” section.
- Under Creation Method, select Use pattern form.
- Under Event pattern > AWS Service, select GuardDuty as the event source.
- In the Event Type menu that appears, select All Events then click Next.
- In the Select target(s) window, under Target types, select AWS service.
- Select Kinesis Stream, then select the stream you previously created.
- Click Next.
- (Optional) In the Configure tags window, type an optional tag.
- Click Next, then click Create Rule.
- The Amazon Eventbridge Rules page loads automatically and displays the newly created rule.
To configure a log group for VPC flow logs:
- Navigate to CloudWatch Logs > Log Groups.
- Select Create log group.
- Set the Retention setting to a 1 day period.
- Click Create.
- Create an IAM role to allow the CloudWatch log service to put logs in the AWS Kinesis data stream using AWS CLI or CloudShell.
- Using your favorite editor create a “TrustPolicyForCWLToKinesis.json” file with the following contents, changing the region to your appropriate region before saving it.
{"Version": "2012-10-17", "Statement": {"Effect": "Allow","Principal": {"Service": "logs.us-west-2.amazonaws.com"},"Action": "sts:AssumeRole"}}
- Create the IAM role by entering the following command into the AWS CLI or from CloudShell:
aws iam create-role --role-name BlumiraCWLtoKinesisDataStreamRole --assume-role-policy-document file://TrustPolicyForCWLToKinesis.json
- Similar to step 6, create the IAM policy named PermissionPolicyForCWLToDataStream.json, and ensure that you replace the account number "123455312345" in the code block below with the appropriate account number for your AWS account.
{"Statement":[{"Effect":"Allow","Action":["kinesis:*"],"Resource":["*"]},{"Effect":"Allow","Action":["iam:PassRole"],"Resource":["arn:aws:iam::123455312345:role/BlumiraCWLtoKinesisDataStreamRole"]}]}
- Attach the IAM policy to the newly created role using the following example command into the AWS CLI or CloudShell:
aws iam put-role-policy \
--role-name BlumiraCWLtoKinesisDataStreamRole \
--policy-name PermissionPolicyForCWLToDataStream \
--policy-document file://PermissionPolicyForCWLToDataStream.json - Create a Kinesis subscription filter to send VPC log flow data from the log group to the Kinesis data stream by selecting the log group, as pictured below:
- Select Current account and the Kinesis data stream we created in the previous step for a destination.
- Select the permission role, by log stream. Under Configure log format and filters, set log format to Amazon VPC Flow Logs and click Start streaming.
- Select the log group created for CloudTrail, edit Retention setting, then set it to expire after 1 day.
- With the CloudTrail log group, select Create Kinesis subscription filter from the Action > Subscription filters sub-menu.
- Select Current account and the Kinesis data stream we created in the previous step for a destination.
- Select the role we created to allow CloudWatch to put file logs into our data stream. Choose AWS CloudTrail for the log format, and enter a subscription file name descriptive enough to identify the purpose of the subscription filter.
Now that you have configured AWS CloudWatch for Blumira, continue to the next step in configuring AWS for Blumira – configuring AWS VPC Flow Logs.