Collect AWS Control Tower logs

Supported in:

This document explains how to ingest AWS Control Tower logs to Google Security Operations. AWS Control Tower enables governance, compliance, and security monitoring across multiple AWS accounts. This integration let you to analyze logs from AWS Control Tower for better visibility and security posture.

Before You Begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to AWS.

Configure Amazon S3 bucket

  1. Create an Amazon S3 bucket following this user guide: Creating a bucket
  2. Save the bucket Name and Region for later use.
  3. Create a user following this user guide: Creating an IAM user.
  4. Select the created User.
  5. Select the Security credentials tab.
  6. Click Create Access Key in the Access Keys section.
  7. Select Third-party service as the Use case.
  8. Click Next.
  9. Optional: add a description tag.
  10. Click Create access key.
  11. Click Download CSV file to save the Access Key and Secret Access Key for later use.
  12. Click Done.
  13. Select the Permissions tab.
  14. Click Add permissions in the Permissions policies section.
  15. Select Add permissions.
  16. Select Attach policies directly.
  17. Search for and select AmazonS3FullAccess and CloudWatchLogsFullAccess policies.
  18. Click Next.
  19. Click Add permissions.

Configure CloudTrail in AWS Control Tower

  1. Sign in to the AWS Management Console.
  2. Go to AWS Control Tower.
  3. In the search bar, type CloudTrail and select it from the services list.

  4. Click Create Trail to create a new trail.

  5. Specify Trail Settings:

    • Trail name: provide a meaningful name for the trail (for example, ControlTowerTrail).
    • Apply trail to all regions: ensure that you select Yes for Apply trail to all regions.
    • Management events: Ensure that Read/Write events are set to All..
    • Optional: Data events: enable S3 data events and Lambda data events to capture detailed data activity.
    • Optional: Log file validation: enable this to ensure that log files are not tampered with once they're stored.

  6. In the Event selector, choose to log Management events and Data events.

Configure CloudTrail to Send Logs to an S3 Bucket

  1. Go to the AWS IAM Console.
  2. Click Roles.
  3. Search for the role that CloudTrail uses AWSServiceRoleForCloudTrail (the role is automatically created when you set up CloudTrail).
  4. In the Permissions tab for the role, click Attach policies.
  5. Search for CloudTrailS3DeliveryPolicy.
  6. Select the checkbox next to the CloudTrailS3DeliveryPolicy policy.
  7. Click Attach policy.
  8. Go to the AWS CloudTrail Console.
  9. In the Storage location section, select S3 as the destination for log files.
  10. Select the S3 bucket you created earlier.
  11. Click Allow when prompted to grant CloudTrail permission to write logs to your chosen bucket.
  12. Review your settings and click Create (or Save changes if you're editing an existing trail).

Configure a feed in Google SecOps to ingest AWS Control Tower logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, AWS Control Tower Logs).
  4. Select Amazon S3 as the Source type.
  5. Select AWS Control Tower as the Log type.
  6. Click Next.

  7. Specify values for the following input parameters:

    • Region: the region where the Amazon S3 bucket is located.
    • S3 URI: the bucket URI.
      • s3://your-log-bucket-name/
        • Replace your-log-bucket-name with the actual name of the bucket.
    • URI is a: select Directory or Directory which includes subdirectories.

    • Source deletion options: select the deletion option according to your preference.

    • Access Key ID: the User access key with access to the S3 bucket.

    • Secret Access Key: the User secret key with access to the S3 bucket.

    • Asset namespace: the asset namespace.

    • Ingestion labels: the label to be applied to the events from this feed.

  8. Click Next.

  9. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log field UDM mapping Logic
awsAccountId target.user.group_identifiers The AWS account ID associated with the event.
digestPublicKeyFingerprint target.file.sha1 The fingerprint of the public key used to sign the digest.
digestPublicKeyFingerprint target.resource.attribute.labels.value The fingerprint of the public key used to sign the digest.
digestS3Bucket target.resource.name The name of the S3 bucket where the digest is stored.
digestS3Object target.file.full_path The path to the digest object in the S3 bucket.
digestSignatureAlgorithm network.tls.cipher The algorithm used to sign the digest.
digestSignatureAlgorithm target.resource.attribute.labels.value The algorithm used to sign the digest.
digestStartTime metadata.event_timestamp The start time of the digest period. Used as event time if eventTime is not available.
eventCategory security_result.category_details The category of the event.
eventID metadata.product_log_id The unique ID of the event.
eventName metadata.product_event_type The name of the event.
eventName security_result.summary The name of the event, used to generate the security result summary.
eventSource target.application The source of the event.
eventTime metadata.event_timestamp The time the event occurred.
eventType additional.fields.value.string_value The type of the event.
logFiles.hashValue about.file.sha256 The SHA-256 hash of the log file.
logFiles.s3Bucket about.resource.name The name of the S3 bucket where the log file is stored.
logFiles.s3Object about.file.full_path The path to the log file object in the S3 bucket.
previousDigestHashValue target.file.sha256 The SHA-256 hash of the previous digest.
recipientAccountId target.resource.attribute.labels.value The AWS account ID of the recipient of the event.
Records.awsRegion principal.location.name The AWS region where the event occurred.
Records.errorCode security_result.rule_id The error code, if any, associated with the request.
Records.errorMessage security_result.description The error message, if any, associated with the request.
Records.eventCategory security_result.category_details The category of the event.
Records.eventID metadata.product_log_id The unique ID of the event.
Records.eventName metadata.product_event_type The name of the event.
Records.eventName security_result.summary The name of the event, used to generate the security result summary.
Records.eventSource target.application The source of the event.
Records.eventTime metadata.event_timestamp The time the event occurred.
Records.eventType additional.fields.value.string_value The type of the event.
Records.requestID target.resource.attribute.labels.value The ID of the request.
Records.requestParameters.groupName target.group.group_display_name The name of the group, if any, associated with the request.
Records.requestParameters.userName src.user.userid The name of the user, if any, associated with the request.
Records.requestParameters.userName src.user.user_display_name The name of the user, if any, associated with the request.
Records.responseElements.ConsoleLogin security_action The result of the console login attempt.
Records.responseElements.ConsoleLogin security_result.summary The result of the console login attempt, used to generate the security result summary.
Records.sourceIPAddress principal.hostname The IP address of the principal. Used as hostname if not a valid IP.
Records.sourceIPAddress principal.ip The IP address of the principal.
Records.tlsDetails.cipherSuite network.tls.cipher The cipher suite used for the TLS connection.
Records.tlsDetails.tlsVersion network.tls.version The TLS version used for the connection.
Records.userAgent network.http.user_agent The user agent of the request.
Records.userIdentity.accessKeyId additional.fields.value.string_value The access key ID used for the request.
Records.userIdentity.accountId principal.user.group_identifiers The AWS account ID of the user.
Records.userIdentity.arn principal.user.attribute.labels.value The ARN of the user.
Records.userIdentity.arn target.user.userid The ARN of the user. Used as userid if userName is not available.
Records.userIdentity.principalId principal.user.product_object_id The principal ID of the user.
Records.userIdentity.sessionContext.attributes.mfaAuthenticated principal.user.attribute.labels.value Whether MFA was used for the request.
Records.userIdentity.sessionContext.sessionIssuer.userName principal.user.userid The username of the user who issued the session.
Records.userIdentity.type principal.resource.type The type of identity used for the request.
Records.userIdentity.userName target.user.userid The username of the user.
- extensions.auth.mechanism Set to "REMOTE".
- metadata.event_type Set to "STATUS_UPDATE", "USER_RESOURCE_ACCESS", "USER_LOGIN", or "GENERIC_EVENT" based on the eventName.
- metadata.log_type Set to "AWS_CONTROL_TOWER".
- metadata.product_name Set to "AWS Control Tower".
- metadata.vendor_name Set to "AWS".
- principal.asset.attribute.cloud.environment Set to "AMAZON_WEB_SERVICES".
- security_result.action Set to "ALLOW" or "BLOCK" based on the errorCode.
- security_result.severity Set to "INFORMATIONAL".

Changes

2024-03-17

  • Enhancement:
  • Mapped "req.userIdentity.arn" and "req.userIdentity.userName" to "target.user.userid".

2023-01-04

  • Enhancement:
  • Initialized variables to avoid replication of data in the For loop.

2022-12-15

  • Enhancement:
  • Mapped 'metadata.vendor_name' to 'AWS'.
  • Mapped 'metadata.product_name' to 'AWS Control Tower'.
  • Mapped 'metadata.event_type' to 'USER_LOGIN' when 'eventName' is 'ConsoleLogin'.
  • Mapped 'security_result.severity' to 'INFORMATIONAL' when 'eventName' is 'ConsoleLogin'.

2022-11-17

  • Enhancement:
  • Mapped 'req.userIdentity.userName' and 'req.userIdentity.sessionContext.sessionIssuer.userName' to 'target.user.id'.
  • Mapped 'ConsoleLogin:Success' to 'security_result.action'.
  • Mapped port information from 'sourceIPAddress' to 'principal.port'.

2022-10-31

  • Newly created parser.

Need more help? Get answers from Community members and Google SecOps professionals.