Before you begin
Before configuring AWS CloudWatch, we recommend reviewing Getting started with AWS security monitoring.
CloudWatch Configuration
To create a new Amazon EventBridge rule with the GuardDuty service as a source for all events, do the following:
- In the AWS console, navigate to CloudWatch > Events > Rules.
- In the Amazon EventBridge Rules window, click Create rule.
- In the Name box under Rule detail, type a rule-name that will help you identify the GuardDuty rule.
Example: “Blumira_GuardDuty_Rule”. - Click Next.
- In the Event Source section, select AWS events or EventBridge partner events.
- Skip the “Sample event - optional” section.
- Under Creation Method, select Use pattern form.
- Under Event pattern > AWS Service, select GuardDuty as the event source.
- In the Event Type menu that appears, select All Events then click Next.
- In the Select target(s) window, under Target types, select AWS service.
- Select Kinesis Stream, then select the stream you previously created.
- Click Next.
- (Optional) In the Configure tags window, type an optional tag.
- Click Next, then click Create Rule.
- The Amazon Eventbridge Rules page loads automatically and displays the newly created rule.
To configure a log group for VPC Flow logs:
- Navigate to CloudWatch Logs > Log Groups.
- Select Create log group.
- Set the Retention setting to a 1 day period.
- Click Create.
- Create an IAM role to allow the CloudWatch log service to put logs in the AWS Kinesis data stream using AWS CLI or CloudShell.
- Using your favorite editor create a “TrustPolicyForCWLToKinesis.json” file with the following contents, changing the region to your appropriate region before saving it.
{"Version": "2012-10-17", "Statement": {"Effect": "Allow","Principal": {"Service": "logs.us-west-2.amazonaws.com"},"Action": "sts:AssumeRole"}}
- Create the IAM role by entering the following command into the AWS CLI or from CloudShell:
aws iam create-role --role-name BlumiraCWLtoKinesisDataStreamRole --assume-role-policy-document file://TrustPolicyForCWLToKinesis.json
- Similar to step 6, create the IAM policy named PermissionPolicyForCWLToDataStream.json, and ensure that you replace the account number "123455312345" in the code block below with the appropriate account number for your AWS account.
{"Statement":[{"Effect":"Allow","Action":["kinesis:*"],"Resource":["*"]},{"Effect":"Allow","Action":["iam:PassRole"],"Resource":["arn:aws:iam::123455312345:role/BlumiraCWLtoKinesisDataStreamRole"]}]}
- Attach the IAM policy to the newly created role using the following example command into the AWS CLI or CloudShell:
aws iam put-role-policy \
--role-name BlumiraCWLtoKinesisDataStreamRole \
--policy-name PermissionPolicyForCWLToDataStream \
--policy-document file://PermissionPolicyForCWLToDataStream.json - Create a Kinesis subscription filter to send VPC log flow data from the "VPC-FLOW" log group to the Kinesis data stream by doing the following:
- In the Log Groups table, check the box next to the log group you created in Step 4.
- Above the table, click Actions, then Subscription filters, then Create Kinesis subscription filter.
- Select Current account and the Kinesis data stream we created in the previous step for a destination.
- Select the permission role, by log stream.
- Under Configure log format and filters, set log format to Amazon VPC Flow Logs and click Start streaming.
- In the Log Groups table, click the check box next to the log group created for CloudTrail.
- In Retention setting, set it to expire events after 1 day, and then click Save.
- With the CloudTrail log group selected, click Actions above the table.
- Click Subscription filters and then click Create Kinesis subscription filter.
- Select Current account and the Kinesis data stream you created in the previous step for a destination.
- Select the role you created to allow CloudWatch to put file logs into our data stream.
- In the Log format field, select AWS CloudTrail.
- In the Subscription filter name field, type a descriptive name to identify the purpose of the subscription filter.
Now that you have configured AWS CloudWatch for Blumira, continue to the next step in configuring AWS for Blumira – configuring AWS VPC Flow Logs.