Configuring AWS to Send Log Data to TOS

Overview

SecureTrack provides visibility into inbound and outbound traffic through Last Hit information for AWS Security Group rules. To retrieve this data, SecureTrack must access AWS VPC Flow Logs from either CloudWatch logs, or local or centralized S3 buckets.

The process to configure AWS to send log data to TOS includes:

  • Setting up IAM permissions for CloudWatch or S3 in AWS accounts

  • Configuring flow logs for AWS EC2 instances

  • Configuring device settings in SecureTrack

IAM Policy and Permissions in AWS EC2

Create or update SecureTrack IAM roles with the required permissions for CloudWatch and S3.

CloudWatch Permissions

Grant read-only access to CloudWatch logs.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents",
        "logs:FilterLogEvents"
      ],
      "Resource": "*"
    }
  ]
}

S3 Bucket Permissions

Allow read-only access to single or multiple S3 buckets.

Replace your-log-bucket-name with the name of the actual bucket to which the user needs access.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-log-bucket-name",
        "arn:aws:s3:::your-log-bucket-name/*"
      ]
    }
  ]
}

Prerequisites for AWS in SecureTrack

AWS accounts in SecureTrack

  • Import the relevant VPC(s) into TOS for usage analysis.

  • Ensure the correct AWS account is monitored in SecureTrack.

See Monitoring Amazon AWS Cloud Platform

Cross-account logging for S3 buckets

If the S3 bucket is not in the same AWS account as the VPC/ENIs, ensure the correct cross-account permissions are granted:

  • The SecureTrack IAM role must have permission to read from it.

  • The flow log service must have permission to write to the S3 bucket.

Configure Flow Log Collection for AWS EC2

Follow the steps below to enable SecureTrack to retrieve usage data from the AWS devices monitored by it.

Step 1: AWS - Identify ENIs Associated with EC2 instance

Identify the Elastic Network Interfaces (ENIs) associated with the monitored EC2 instances.

  1. Log in to AWS and open the EC2 console.

  2. From the left navigation pane, select Instances.

  3. Select the required instance from the list.

  4. In the Networking tab, expand Network Interfaces to view the ENIs.

  5. Select the Interface ID.

 

Step 2: AWS - Create Flow log and Define Settings

Create a flow log and define its settings, including the destination as either CloudWatch or S3. Only those settings relevant to SecureTrack are specified here.

  1. In the Networking tab, scroll down to Flow logs.

  2. Create Create flow log.

  3. Define the flow log settings:

    1. Name: Descriptive name for the flow log.

    2. Filter: SecureTrack monitors only accepted traffic.

    3. Destination:

      • For CloudWatch, select Send to CloudWatch logs.

      • For S3, select Send to S3 bucket.

    4. One of the following:

      •  For CloudWatch, select a valid Destination log group.

      • For S3, select a valid S3 bucket.

 

Step 3: Configure Flow Log Collection in SecureTrack

Set up AWS EC2 devices in SecureTrackto retrieve usage data from CloudWatch or S3 flow logs. SecureTrack processes only valid .gz log files, and skips empty or malformed files.

If S3 is not explicitly configured for the device, SecureTrack defaults to CloudWatch logs.

 

  1. Verify that all the Prerequisites for AWS in SecureTrack are completed.

  2. Select SecureTrack > Monitoring > Manage Devices.

  3. In Usage Analysis, select Collect traffic logs for rule usage analysis.

  4. Optional. For S3 flow logs only:

    1. Below Proxy, select Enable S3 flow logs.

    2. To enable cross-account S3 access, select S3 Centralized Account.