Skip to content

AWS Cloudtrail

If you already have your Cloud Trail configured, please skip to the “Creating a New SQS” section.

Creating a Cloud Trail configuration#

  1. Access your AWS Console and select the Cloud Trail service.

  2. Click Create trail

  3. Enter the name you want to provide for this trail in the Trail Name field.

  4. Select Enable for all accounts in my organization if you have multiple accounts.

  5. Select either Create a New Bucket or Use existing S3 bucket to store Cloud Trail logs.

  6. Copy and save the bucket name. You will need it for configuration.

  7. Provide KMS Key Alias details if encryption needs to be turned on, else uncheck the box.

  8. Accept all defaults and click Next.

  9. Select the following for log events: Management Events, Data Events

  10. Scroll Down and add Data event source for the following:

    • S3
    • Lambda
    • DynmoDB

  11. Click Next.

  12. Review the configurations and click Create Trail.

Creating a new SQS #

  1. Search for the SQS service and select Create Queue.

  2. Select the Standard queue.

  3. Enter a name for the SQS queue.

  4. Select Advanced from Access policy.

  5. Copy the following JSON code and paste it in Access Policy:

    s

    json
    {
    "Version": "2012-10-17",
    "Id": "arn:aws:sqs:<AWS Region>:<AWS Account Number>:<SQS Queue Name>",
    "Statement": [{
        "Sid": "Sid1591029198479",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "SQS:*",
        "Resource": "arn:aws:sqs:<AWS Region>:<AWS Account Number>:<SQS Queue Name>",
        "Condition": {
            "ArnLike": {
                "aws:SourceArn": "<S3 Bucket ARN>"
            }
        }
    }
    ]
}

  6. Replace the information in angle brackets with your AWS region, AWS account number, SQS queue name, and S3 bucket ARN.

  7. Click Create Queue.

You will need to provide the SQS URL and region to SolCyber.

Events notification on S3 bucket to SQS #

  1. Select the bucket where AWS Cloud Trail data is archived and click Properties.

  2. Copy and secure S3 Bucket Name and Region for the bucket.

  3. Scroll down to the B/Event Notifications/B widget.

  4. Click Create Events Notifications.

  5. Provide the name for the notification in the Event name field and select Put for Events.

  6. Select the destination as SQS queue and select the SQS queue created in the previous step.

  7. Click Save.

You will need to provide the S3 bucket name and region to SolCyber.

Authorizing the IAM user #

  1. Create an IAM service account to use for Securonix log ingestion. You may already have one if you have previously configured Guard Duty logs for Securonix.
  2. Select the user and attach the following AWS managed policies to the user:
    • AmazonSQSFullAccess
    • AmazonS3ReadOnlyAccess
  3. Copy and save the following information of the user:
    • Secret
    • Access Key ID

You will need to provide the IAM user access key ID and secret to SolCyber.