To learn more about Out-of-the-box Integrations and their benefits, please refer to
this article.
In this article, you will find out how to configure Amazon Web Services (AWS) to pull and collect data from your network in the form of logs, and have it sent to Lumu to be analyzed to improve the monitoring & response capabilities of your organization.
Requirements
-
AWS valid license with CloudWatch configured and Route53
-
An active Lumu Defender/Lumu Insights subscription
This integration will rely on pulling log data from Amazon CloudWatch. To do this, you will need to implement a new flow log from the desired Virtual Private Cloud (VPC). In this section, you will find how to complete this procedure.
IAM Role User to Publish Logs
CloudWatch Log Group Creation
To send logs from your VPCs, you will need at least one CloudWatch log group. If you haven’t created one yet, just refer to the
following article about working with log groups
. Once created, it should be visible on your CloudWatch log groups section.
Route 53 Query Logging Setup
Another requirement for this integration to function properly is
to set up a query logger in your Route 53 options
. Please remember to choose the CloudWatch Logs log group as Query log destination and to add the VPCs that you wish to monitor while completing this procedure.
Once done, you should see something similar to the image below:
You should see new logs in your log group at CloudWatch
Create an IAM Role User to Retrieve Logs
The following step is creating an IAM role user with read-only access to the specified log group in CloudWatch Logs. First, we need to
create the new role.
In this step, we highly recommend that you create a policy limiting the log stream groups that should be monitored by Lumu to read-only. This is an example of the JSON for this sort of policy:
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FetchLogGroup",
"Effect": "Allow",
"Action": [
"logs:FilterLogEvents"
],
"Resource": [
"arn:aws:logs:::log-group::log-stream:*",
"arn:aws:logs:::log-group:"
],
"Condition": {
"StringEquals": {
"aws:username": ""
}
}
}
]
}
Once the role has been created, you must assign the newly created IAM role to a user, you can assign it to an already existing user or create a new user specifically for it; however, this user should have only the privileges required to pull CloudWatch logs. Now, we need to
retrieve the AWS user credentials. Once obtained, save these credentials and keep them in a secure location, you will need them to set up the integration on the Lumu Portal later.
Optional Step: IAM Role User Credentials Testing Script
You may use the following python script to test whether the IAM role user has enough permissions to retrieve data from CloudWatch after finishing the setup:
-
LOG_GROUP, orderBy="LastEventTime", descending=True, limit=10
from datetime import datetime, timezone, timedelta
import boto3
def to_milliseconds(date):
return int(date.timestamp() * 1000)
ACCESS_KEY = '---'
SECRET_KEY = '---'
REGION_NAME = '---'
LOG_GROUP = '---'
client = boto3.client('logs', region_name=REGION_NAME,
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY)
paginator = client.get_paginator('filter_log_events')
now = datetime.now(timezone.utc)
ago = now - timedelta(minutes=5)
all = paginator.paginate(logGroupName=LOG_GROUP, startTime=to_milliseconds(ago),
endTime=to_milliseconds(now),
PaginationConfig={'PageSize': 10})
first = next(all.__iter__())
print(first['events'])
print(first['nextToken'])
After the script runs flawlessly, the events in the result should look as follows:
-
{
"logStreamName":"vpc-id",
"timestamp":1688652549000,
"message":"{\"version\":\"1.100000\",\"account_id\":\"account\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-id\",\"query_timestamp\":\"2023-07-06T14:09:09Z\",\"query_name\":\"activity.lumu.io.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"172.67.70.87\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"source_ip\",\"srcport\":\"source_port\",\"transport\":\"UDP\",\"srcids\":{\"instance\":\"instance_id\"}}",
"ingestionTime":1688652561985,
"eventId":"event_id"
}
Add Integration
To start collecting data from Amazon Web Services, it is necessary to configure the Lumu integration using the values obtained in the first section of this article. Here, you will find instructions on how to configure each of these parameters.
1. Log in to your Lumu account through the
Lumu Portal and navigate to the integrations screen.
2. Locate the Amazon Web Services Data Collection integration in the available apps area and click to add it. Then click to view details.
3. You may want to familiarize yourself with the integration details available in the app description. Now, click the button below to add the integration.
4. Assign an identifiable name to the integration. By default, this integration will be tagged as unlabeled activity; however, you can select a label of your preference for additional visibility.
It is always recommended to assign a label to organize and categorize the traffic of your organization. To learn more, refer to
our article about Labels.
5. Add the AWS client credentials: ID and Secret, the region of your VPC, and the CloudWatch log group name. These parameters were obtained in the steps of the Configure AWS section. Now select “
Activate
”.
6. The integration is now created and active. You can find the integration and some additional details by going to the Configured Apps section and looking for the available apps.