Page tree

Overview

This topic only applies to Armor Anywhere users.

You can use this document to learn how to collect and view CloudTrail logs in the Armor Management Portal (AMP). 

At a high-level, to collect CloudTrail logs, you must: 

  • Order the Host Log Collector add-on product from the Log & Data Management screen in AMP
  • Add your AWS account in the Cloud Connections screen in AMP
  • Create an S3 bucket and policy in the AWS console
  • Set up CloudTrail in the AWS console

To complete this topic, you will need to access both AMP and the AWS console.



Step 1: Order Log Relay for host log collection

For additional information regarding Log Relay, including pricing information, see Collect host-based logs through Log Relay (Armor Anywhere).

To order Log Relay for host log collection, open a support ticket.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Support.
  2. Click Tickets + Notifications.
  3. Click the plus ( + ) icon.
    • If you do not see the plus ( + ) icon, then click Create a Ticket.
  4. In Subject, enter Order Host Log Collector (Log Relay).
  5. In Description, enter additional information to help Armor Support provision this product.
  6. Click Create Ticket.
You can also order host log collection via the Post Log Depot (Activate) API call.


Step 2: Add your AWS account

For additional information regarding the Cloud Connections screen, see Cloud Connections.

In this step, you will access both the Armor Management Portal (AMP) and the AWS console.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Account.
  2. Click Cloud Connections.
  3. On the right side, click the plus ( + ) icon. 
  4. In Account Name, enter a descriptive name. 
  5. In Description, enter a short description. 
  6. In Services, mark CloudTrail Log Ingestion.
  7. In IAM Role, copy the External ID. You will need this information at a later step. 
    • The External ID and Armor's AWS Account Number fields are pre-populated. 
    • Armor will generate an External ID for every new Cloud Connection. 
    • In a later step, you will locate the information to complete the AWS IAM Role.
  8. Access the AWS console. 
  9. Under Security, Identity & Compliance, click IAM
  10. In the left-side navigation, click Roles
  11. Click Create new role
  12. Under Select role type, mark Role for cross-account access
  13. Click Select for Provide access between your AWS account and a 3rd party AWS account.
  14. In Account ID, enter 679703615338
  15. In External ID, paste the External ID you copied earlier from the Armor Management Portal (AMP). 
  16. Make sure Require MFA is not marked. 
  17. Click Next Step
  18. Locate and mark the SecurityAudit policy. 
  19. Click Next Step
  20. In Role name, enter a descriptive name. 
  21. In Role description, enter a useful description. 
  22. Click Create role
  23. Click the newly created role. 
  24. Under Summary, copy the Role ARN information. 
  25. Return to the Cloud Connections screen in AMP. 
  26. Paste the Role ARN information into the IAM Role ARN field. 
  27. Click Save


Step 3: Create an S3 bucket and policy

  1. Access the landing page for the AWS console. 
  2. Under Security, Identity & Compliance, select IAM
  3. In the left-side navigation, click Roles
  4. Click the role you created in Step 2: Add your AWS Account
  5. Click Attach Policy
  6. Locate and mark AmazonS3ReadyOnlyAccess
  7. Click Attach Policy
  8. Return to the landing page for the AWS console. 
  9. Under Storage, click S3
  10. Click Create bucket.
  11. In Bucket name, enter a descriptive name. 
    • Copy this information. You will need the name of this bucket in a later step. 
  12. In Region, select US East (N. Virginia).
  13. Click Next
  14. Click Next again. 
  15. Click Next again. 
  16. Click Create bucket
  17. Click the newly created bucket. 
  18. Click the Properties tab. 
  19. Click Events
  20. Click Add Notification
  21. In Name, enter a descriptive name. 
    • Armor recommends that you enter ArmorLogDepotCloudTrail
  22. In Events, mark ObjectCreate (All).
  23. In Send To, select SNS Topic.
  24. In SNS, select Add SNS topic ARN
  25. In SNS topic ARN, enter: arn:aws:sns:us-east-1:679703615338:aa4-cloudtrail-ingest0
  26. Click Save
  27. Click the Permissions tab. 
  28. Click Bucket Policy
  29. Enter the policy below. 
    • For Resource, replace YOUR-S3-BUCKET-NAME-HERE with the name of your newly created S3 bucket. 
    • Based on your particular account, you may already see text populated in the field. Be sure to replace the appropriate lines with the policy below. 
    • {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "Stmt1484862598875",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "arn:aws:iam::679703615338:root"
                  },
                  "Action": "s3:GetObject",
                  "Resource": "arn:aws:s3:::YOUR-S3-BUCKET-NAME-HERE/*"
              }
          ]
      }
  30. Click Save
    • If you do not receive an error message, then the policy was correctly saved. 

Step 4: Set up CloudTrail

  1. Access the landing page for the AWS console.  
  2. Under Management Tools, click CloudTrail
  3. In the left-side navigation, click Trails
  4. Click Add new trail
  5. In Trail name, enter a descriptive name. 
  6. For Apply trail to all regions, mark Yes
  7. Under Storage location, for Create a new S3 bucket, mark No
  8. Next to S3 bucket, select the S3 bucket you created in Step 3: Create S3 bucket and policy.
  9. Click Create

(Optional) Step 5: View CloudTrail logs

For additional information regarding the Log Management screen, see Log Management.

You can use the Log & Data Management screen in the Armor Management Portal (AMP) to view your CloudTrail logs. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management
  3. Click Search
  4. Next to Filter by, select AWS CloudTrails



In this topic



Have a suggestion for the Armor Knowledge Base? Send a message to kb@armor.com.