AWS Out-of-the-Box Data Collection Integration

AWS Out-of-the-Box Data Collection Integration


To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.
In this article, you will find out how to configure Amazon Web Services (AWS) to pull and collect data from your network in the form of logs, and have it sent to Lumu to be analyzed to improve the monitoring & response capabilities of your organization.

Requirements

  1. AWS valid license with CloudWatch configured and Route53
  2. An active Lumu Defender/Lumu Insights subscription 

Configure AWS

This integration will rely on pulling log data from Amazon CloudWatch. To do this, you will need to implement a new flow log from the desired Virtual Private Cloud (VPC). In this section, you will find how to complete this procedure. 

IAM Role User to Publish Logs

The first step is creating an IAM role user with sufficient permissions to publish logs to the specified log group in CloudWatch Logs. To learn more about this procedure, refer to the official documentation article by Amazon Web Services provided here .

CloudWatch Log Group Creation

To send logs from your VPCs, you will need at least one CloudWatch log group. If you haven’t created one yet, just refer to the following article about working with log groups . Once created, it should be visible on your CloudWatch log groups section.



Route 53 Query Logging Setup

Another requirement for this integration to function properly is to set up a query logger in your Route 53 options . Please remember to choose the CloudWatch Logs log group as Query log destination and to add the VPCs that you wish to monitor while completing this procedure.
Once done, you should see something similar to the image below:

You should see new logs in your log group at CloudWatch

Create an IAM Role User to Retrieve Logs

The following step is creating an IAM role user with read-only access to the specified log group in CloudWatch Logs. First, we need to create the new role.
In this step, we highly recommend that you create a policy limiting the log stream groups that should be monitored by Lumu to read-only. This is an example of the JSON for this sort of policy:
  1. 
{
	"Version": "2012-10-17",
	"Statement": [
    	{
        	"Sid": "FetchLogGroup",
        	"Effect": "Allow",
        	"Action": [
            	"logs:FilterLogEvents"
        	],
        	"Resource": [
            	"arn:aws:logs:::log-group::log-stream:*",
            	"arn:aws:logs:::log-group:"
        	],
        	"Condition": {
            	"StringEquals": {
                	"aws:username": ""
            	}
        	}
    	}
	]
}
Once the role has been created, you must assign the newly created IAM role to a user, you can assign it to an already existing user or create a new user specifically for it; however, this user should have only the privileges required to pull CloudWatch logs. Now, we need to retrieve the AWS user credentials. Once obtained, save these credentials and keep them in a secure location, you will need them to set up the integration on the Lumu Portal later.

Optional Step: IAM Role User Credentials Testing Script

You may use the following python script to test whether the IAM role user has enough permissions to retrieve data from CloudWatch after finishing the setup:
It’s necessary to install the boto3 AWS SDK to use this script. 
  1. 
LOG_GROUP, orderBy="LastEventTime", descending=True, limit=10

from datetime import datetime, timezone, timedelta

import boto3

def to_milliseconds(date):
	return int(date.timestamp() * 1000)

ACCESS_KEY = '---'
SECRET_KEY = '---'
REGION_NAME = '---'
LOG_GROUP = '---'

client = boto3.client('logs', region_name=REGION_NAME,
                  	aws_access_key_id=ACCESS_KEY,
                  	aws_secret_access_key=SECRET_KEY)
paginator = client.get_paginator('filter_log_events')

now = datetime.now(timezone.utc)
ago = now - timedelta(minutes=5)

all = paginator.paginate(logGroupName=LOG_GROUP, startTime=to_milliseconds(ago),
                     	endTime=to_milliseconds(now),
                     	PaginationConfig={'PageSize': 10})

first = next(all.__iter__())
print(first['events'])
print(first['nextToken'])
After the script runs flawlessly, the events in the result should look as follows: 
  1. 
{
   "logStreamName":"vpc-id",
   "timestamp":1688652549000,
   "message":"{\"version\":\"1.100000\",\"account_id\":\"account\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-id\",\"query_timestamp\":\"2023-07-06T14:09:09Z\",\"query_name\":\"activity.lumu.io.\",\"query_type\":\"A\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"172.67.70.87\",\"Type\":\"A\",\"Class\":\"IN\"}],\"srcaddr\":\"source_ip\",\"srcport\":\"source_port\",\"transport\":\"UDP\",\"srcids\":{\"instance\":\"instance_id\"}}",
   "ingestionTime":1688652561985,
   "eventId":"event_id"
}

Add Integration

To start collecting data from Amazon Web Services, it is necessary to configure the Lumu integration using the values obtained in the first section of this article. Here, you will find instructions on how to configure each of these parameters.
1. Log in to your Lumu account through the Lumu Portal and navigate to the integrations screen.
2. Locate the Amazon Web Services Data Collection integration in the available apps area and click to add it. Then click to view details.
3. You may want to familiarize yourself with the integration details available in the app description. Now, click the button below to add the integration.
4. Assign an identifiable name to the integration. By default, this integration will be tagged as unlabeled activity; however, you can select a label of your preference for additional visibility. 
It is always recommended to assign a label to organize and categorize the traffic of your organization. To learn more, refer to our article about Labels.
5. Add the AWS client credentials: ID and Secret, the region of your VPC, and the CloudWatch log group name. These parameters were obtained in the steps of the Configure AWS section. Now select “ Activate ”. 
6. The integration is now created and active. You can find the integration and some additional details by going to the Configured Apps section and looking for the available apps.
    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • Kubernetes (K8s) Out-of-the-box Data Collection Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. In this article, you will find out how to configure your Kubernetes cluster to record and collect DNS data from your cluster network and have it sent to ...

        • Cloudflare - S3 Compatible Storage Custom Data Collection Integration

          In this article, you will find out how to configure your Cloudflare Enterprise subscription and the Lumu Custom Data Collection integration to pull, transform, and inject the DNS Gateway logs recorded by Cloudflare into Lumu to enhance the detection ...

        • Netskope Out-of-the-Box Data Collection Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. Configure Netskope Next Gen Secure Web Gateway 1. Log in to your Netskope UI. 2. Navigate to Event Streaming . Following the next path Settings > Tools ...

        • Google Cloud Platform VPC Out-of-the-box Data Collection Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. In this article, you will find out how to configure Google Cloud Platform (GGP) VPC to pull and collect data from your network in the form of logs, and ...

        • Cato Networks Custom Data Collection Integration

          In this article, you will find out how to configure your Cato Networks subscription and its Lumu Custom Data Collection integration to pull, transform, and inject the FW logs recorded by Cato Networks into Lumu to enhance the detection & response ...