Topics Discussed

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine
  • Delete Log Management
  • Read Log Endpoints
  • Read Log Relays
  • Write Log Relays
  • Delete Log Relays

You can use this document to collect and send AWS GuardDuty logs to Armor's Security Information & Event Management (SIEM)


Pre-Deployment Considerations


Before you begin, review the following requirements:

AWS Account Information

You must be able to retrieve or create the following information for your AWS service account:

  • AWS Account Number
  • AWS Access Key
  • AWS Secret Key

This action will be described in a later step. 


AWS Account Permissions (Policies)

Your AWS service account must have full access to AWS CloudWatch.

Your individual AWS user account must have full access to the following AWS features: 

  • AWS GuardDuty
  • AWS Lambda
  • AWS CloudWatch
  • AWS CloudFormation


AMP Permissions

Your Armor Management Portal (AMP) account must have the following permissions: 

  • Write Virtual Machine
  • Delete Log Management
  • Read Log Endpoints
  • Read Log Relays
  • Write Log Relays
  • Delete Log Relays

To learn more about permissions in AMP, see Roles and Permissions


Supported AWS GuardDuty Regions

Armor's SIEM supports the following AWS GuardDuty regions: 

 Click here to expand...
  • Asia Pacific Northeast-1
  • Asia Pacific Northeast-2
  • Asia Pacific South-1
  • Asia Pacific Southeast-1
  • Asia Pacific Southeast-2
  • Canada Central-1
  • China North-1
  • Europe Central-1
  • Europe West-1
  • Europe West-2
  • South America East-1
  • US East-1
  • US East-2
  • US West-1
  • US West-2

Armor does not provide support for using AWS CloudFormation to set up AWS GuardDuty resources in AWS GovCloud (US).


Log Relay

For remote log collection, you must have Log Relay added to your account. To learn how to add Log Relay to your account, see Obtain Log Relay for Remote Log Collection.


Update Your AWS Permissions


Based on the status of your AWS service account (existing or non-existing), review the appropriate option.  

According to AWS, "An IAM user is a resource in IAM that has associated credentials and permissions. An IAM user can represent a person or an application that uses its credentials to make AWS requests. This is typically referred to as a service account."


Option 1: For existing AWS service accounts

Your AWS service account must have full access to AWS CloudWatch.

Your individual AWS user account must have full access to the following AWS features: 

  • AWS GuardDuty
  • AWS Lambda
  • AWS CloudWatch
  • AWS CloudFormation

To update your AWS policies (permissions), use the following JSON file:  

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:Armor_GuardDuty_Log_Group",
                "arn:aws:logs:*:*:log-group:Armor_GuardDuty_Log_Group:*",
                "arn:aws:logs:*:*:log-group:Armor_GuardDuty_Log_Group:*:*"
            ],
            "Effect": "Allow"
        }
    ]
}


Option 2: For non-existing AWS service accounts

If you do not have an AWS service account, then you can create an AWS service using an Armor-generated CloudFormation template, which already includes the necessary permissions (policies).

AWS is in the process of updating the screens in their AWS console. As a result, there are two versions of the AWS CloudFormation screen; however, this step is compatible with both views.

  1. Click the following link to create a service account in AWS:
  2. Click Next
  3. Click Next
  4. Click Next
  5. At the bottom of the screen, mark the box to accept the terms, and then click Create stack or Create.
    • The service account will take a few minutes to create; you may need to refresh the screen to see account updates. 
    • Note the name of the newly created service account. 


Retrieve Your AWS Credentials


Access your AWS console to gather the following information for your service account: 

  • AWS account number / account ID
  • AWS Access Key
  • AWS Secret Key

In a later step, you will add this information to your Armor Management Portal (AMP) account. 

  1. In your AWS console, access the IAM section. 
  2. In the left-side window, click Users


  3. Locate and select the service account. 
    • If you created a service account using Armor's template, then select the armor_service_account user name. 


  4. Click Security credentials
  5. Click Create access key.
  6. In the window that appears, copy your Access key ID and Secret access key. You will enter these keys in AMP in a later step. 
      

To learn more about your keys, especially how to create a key, please visit AWS's documentation site


Create A Remote Log Source Type


  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management
  3. Click External Sources
    • If this screen is blank, then click Let's Get Started
  4. Click the plus ( + ) icon. 
    • If you do not have any log sources already created, then click Add a New Log Source
  5. Complete the missing fields: 
    • In Endpoint, use the drop-down menu to select an already-configured endpoint.  
    • In Log Source Type, click Amazon GuardDuty
    • By default, Hostname will be populated; however, the Hostname will change after you enter your AWS credentials.
    • By default, Protocol will be populated. 
  6. Enter your AWS information.
    • In AWS Account Number, paste the AWS account number for your service account. You must remove any dashes or hyphens ( - ). 
    • In AWS Access Key and AWS Secret Key, enter the key information for your service account. 
  7. Under AWS Regions, click Select All Regions
    • For best practices, Armor and AWS recommend that you select every region. 
  8. Click Save Log Source



  9. In the window that appears, click the link to directly access your AWS account with Armor's CloudFormation stackset or stack template already imported. 


Configure the AWS GuardDuty CloudFormation StackSet Template for Multiple Regions


You can use these instructions to collect and send logs from multiple regions to AMP.

If you only want to send logs from one region, then see (Optional) Step 5: Configure the AWS GuardDuty CloudFormation Stack Template.

  1. In the AWS console, in Amazon S3 URL, verify that the displayed link is: https://s3-us-west-2.amazonaws.com/logs.armor.com/guard-duty-forwarding/setup-guard-duty-forwarding.yml
  2. Click Next
  3. (Optional) In StackSet name, enter a descriptive name for the StackSet. 
    • This name must begin with a letter, and can only contain letters, numbers, and hyphens.
  4. (Optional) In Log Retention In Days, specify the number of days to maintain logs.   
    • By default, Armor has configured 3 days. 
  5. Click Next
  6. In Deploy stacks in accounts, enter the AWS account number for the AWS service account.
    • This is the same AWS service account number that you previously entered in AMP.
    • You must remove any dashes or hyphens ( - ). 
  7. Under Specify regions, under Available regions, click Add all
  8. Click Next
  9. Click Next
  10. At the bottom of the screen, mark the box to accept the terms, and then click Create
  11. Skip Step 5, and proceed to Step 6


(Optional) Configure the AWS GuardDuty CloudFormation Stack Template for a Single Region


You can use these instructions to collect and send logs from a single region to AMP; however, Armor recommends that you configure your AWS account to send logs from multiple regions, as described in Step 4: Configure the AWS GuardDuty CloudFormation StackSet for Multiple Regions.  

 Click here to expand...

AWS is in the process of updating the screens in their AWS console. As a result, there are two versions of the AWS CloudFormation screen.

Review the following table to understand your particular view, and then review the appropriate option. 

ViewSample Image
Old View

New View


Option 1: Old View

  1. In the AWS console, in the top menu, on the right side, select the desired region. 


  2. In Specify an Amazon S3 template URL, verify that the displayed link is: https://s3-us-west-2.amazonaws.com/logs.armor.com/guard-duty-forwarding/setup-guard-duty-forwarding.yml 


  3. Click Next
  4. (Optional) In Stack name, enter a descriptive name for the stack. 
    • This name must begin with a letter, and can only contain letters, numbers, and hyphens.
  5. (Optional) In Log Retention In Days, specify the number of days to maintain logs.   
    • By default, Armor has configured 3 days. 


  6. Click Next
  7. (Optional) If required by your organization, under Tags, add your organization's tags to the CloudFormation deployment.
  8. (Optional) If required by your organization, under Permissions, in the drop-down menu, select IAM role ARN, and then in the corresponding field, enter AWSCloudFormationStackSetExecutionRole


  9. Click Next
  10. At the bottom of the screen, mark the box to accept the terms, and then click Create.


Option 2: New View 

  1. In the AWS console, in the top menu, on the right side, select the desired region for log collection. 


  2. In Amazon S3 URL, verify that the displayed link is: https://s3-us-west-2.amazonaws.com/logs.armor.com/guard-duty-forwarding/setup-guard-duty-forwarding.yml 


  3. Click Next
  4. (Optional) In Stack name, enter a descriptive name. 
    • This name must begin with a letter, and can only contain letters, numbers, and hyphens.
  5. (Optional) In Number of days AWS GuardDuty Findings will be retained inside of AWS Log Group, specify the number of days to maintain logs. 
    • By default, Armor has configured 3 days. 
  6. Click Next
  7. Click Next
  8. At the bottom of the screen, mark the box to accept the terms, and then click Create stack


Verify Connection in AMP


  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management, and then select External Sources.
  3. Locate the newly created remote log source. 
  4. Under Last Event, verify that a recent activity took place. 
    • This status will indicate that the configurations were successful. 
    • After you update your AWS account, it may take 30 minutes for AMP to display the updates.  

Additionally, you can view the actual logs to confirm that the configuration was successful. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management, and then select Search.
    • If Log & Data Management does not appear, then click Log Management, and then select Search
  3. In the search field, enter your AWS account number surrounded by asterisks wildcards.
    • For example, you can enter *123456789123*
    • This action will display collected AWS GuardDuty logs. 

Troubleshooting

If you are having issues adding a remote collector to an AWS GuardDuty remote device, consider that: 

  • You do not have proper permissions in AWS.
  • You entered the AWS account information for an incorrect AWS service account. 
    • If you have multiple AWS accounts, especially child or organization accounts, you must verify that you added the service account information for the correct service account


Edit a Stack 


This section only applies to single stacks, not stack sets. 

Currently, in AMP, you cannot edit an existing stack. If you want to update your stack, then you must delete the remote log source, and then create a new one with your desired updates. 



Was this helpful?
Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 4 rates