Topics Discussed

To configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Delete Log Management 
  • Read Log Endpoints 
  • Write Log Endpoints 

You can use this document to collect and send AWS VPC Flow Logs to Armor's Security Information & Event Management (SIEM). 

For details about support for AWS Enriched VPC Flow Logs, contact Armor Support


Pre-Deployment Considerations


Before you begin, review the following requirements. 

Prerequisites

  • Armor Account ID


AMP Permissions

Your Armor Management Portal (AMP) account must have the following permissions: 

  • Delete Log Management 
  • Read Log Endpoints 
  • Write Log Endpoints

To learn more about permissions in AMP, see Roles and Permissions


Flow Source

A flow source is required in order to ingest flow data in the Armor SIEM. The flow source will be dedicated to your flow data. You will not be charged until data begins to flow into the Armor SIEM.

Complete the following steps here to enable flow collection for your account. 

Webhook Tagging

To learn more about Webhook Tagging for Flow logs, see the article here.

AWS account permissions (policies)

Your AWS service account must have full access to AWS CloudWatch.

Your individual AWS user account must have full access to the following AWS features: 

  • AWS VPC
  • AWS Lambda
  • AWS CloudWatch
  • AWS CloudFormation


AWS Components

The AWS components that will be used are: 

  •  S3 
  • IAM
  • Lambda
  • VPC Flow Logs 

Armor does not provide support for using AWS CloudFormation to set up AWS VPC Flow Log resources in AWS GovCloud (US).


Configure the AWS VPC Flow Log CloudFormation Stack Template


You can use these instructions to collect and send logs from a single VPC Flow Log.

  1. Login into the AWS console.
  2. Go to the CloudFormation service.
  3. Click Create stack

    The CloudFormation template used to implement the integration deploys a lambda function outside of a VPC. If the template is modified to deploy the armor-vpc-flow-lambda-... lambda function in a VPC, the https://1d.log.armor.com:5443 endpoint will need to be made accessible.

  4. In the AWS console, in the top menu, on the right side, select the desired region for log collection. 
  5. In Specify an Amazon S3 template URL, input the following link: https://s3-us-west-2.amazonaws.com/logs.armor.com/log-relay-aws-vpc-flows/log-relay-aws-vpc-flows.yaml
  6. Click Next
  7. In Stackname, enter a descriptive name. 
    1. This name must begin with a letter, and can only contain letters, numbers, and hyphens.
  8. (Optional) In KmsKeyStack, enter the customer KMS key stack (if applicable).
    1. By default, the logs will be stored in s3 with AES256 encryption.
  9. In RetentionInDays, enter the number of days to retain the log files in the S3 bucket.
    1. By default, Armor has configured 3 days; set to 0 to keep logs until manually removed.
  10. In TenantId, enter your Armor account number.
    1. This can be found in the AccountOverview section of your AMP account.
  11. In TrafficType, select the type of traffic to log:
    1. ALL - Capture all traffic (default); recommended
    2. Accept - Capture the VPC accepted traffic
    3. Reject - Capture the VPC rejected traffic  
  12. In VpcId, select the ID of the VPC for which the flow log will be relayed. 
    1. Select all VPC IDs for this account (within the account's region) that you would like to ingest.
       

  13. Click Next
  14. Click Next
  15. At the bottom of the screen, mark the box to accept the terms, and then click Create.
  16. (Optional) Click the Refresh button to see the status of the stack creation.
  17. You can verify that the stack was created successfully on the Resources

Following successful deployment of the CloudFormation stack, the collected AWS VPC Flow Logs are visible from Log Search on average in 15 minutes and up to 30 minutes.

Verify Connection in AMP


  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management, and then select Search.
  3. In the Source column, review the source name to locate the newly created AWS VPC Flow Log remote log source.
    1. In the search field, you can also enter the AWS acccount ID to locate AWS VPC Flow Log messages.


Edit a Stack 


This section only applies to single stacks, not stack sets. 

Currently, Armor's AWS CloudFormation template does not support updates. If you want to update your stack, then you must delete the remote log source, and then create a new one with your desired updates.? 



Migrate from Log Relay 

The Armor Log Relay is no longer required to collect and monitor AWS VPC Flow Logs. Deploying a stack using the most recent CloudFormation template will provision a new integration that sends logs directly to Armor. 





Was this helpful?
Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 17 rates