本文說明如何將 AWS Control Tower 記錄擷取至 Google Security Operations。AWS Control Tower 可跨多個 AWS 帳戶進行治理、法規遵循和安全監控。整合後,您就能分析 AWS Control Tower 的記錄,進一步掌握現況並強化安全防護機制。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eThis document provides instructions on how to ingest AWS Control Tower logs into Google Security Operations for enhanced security monitoring and visibility.\u003c/p\u003e\n"],["\u003cp\u003eThe integration utilizes an Amazon S3 bucket to store logs and CloudTrail to capture and deliver these logs to the specified bucket.\u003c/p\u003e\n"],["\u003cp\u003eThe setup involves creating an S3 bucket, configuring CloudTrail in AWS Control Tower, and setting up a feed in Google Security Operations.\u003c/p\u003e\n"],["\u003cp\u003eThe document also includes a UDM mapping table which demonstrates the mapping of AWS Control Tower log fields to Google Security Operations' Unified Data Model (UDM).\u003c/p\u003e\n"],["\u003cp\u003eThe feature is available in Google SecOps and is covered under the pre-GA terms of the Google Security Operations Service Specific Terms, which might have certain support and compatibility limitations.\u003c/p\u003e\n"]]],[],null,["# Collect AWS Control Tower logs\n==============================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest AWS Control Tower logs to Google Security Operations. AWS Control Tower enables governance, compliance, and security monitoring across multiple AWS accounts. This integration let you to analyze logs from AWS Control Tower for better visibility and security posture.\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to AWS\n\nConfigure Amazon S3 bucket\n--------------------------\n\n1. Create an **Amazon S3 bucket** following this user guide: [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html)\n2. Save the bucket **Name** and **Region** for later use.\n3. Create a user following this user guide: [Creating an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console).\n4. Select the created **User**.\n5. Select the **Security credentials** tab.\n6. Click **Create Access Key** in the **Access Keys** section.\n7. Select **Third-party service** as the **Use case**.\n8. Click **Next**.\n9. Optional: add a description tag.\n10. Click **Create access key**.\n11. Click **Download CSV file** to save the **Access Key** and **Secret Access Key** for later use.\n12. Click **Done**.\n13. Select the **Permissions** tab.\n14. Click **Add permissions** in the **Permissions policies** section.\n15. Select **Add permissions**.\n16. Select **Attach policies directly**.\n17. Search for and select **AmazonS3FullAccess** and **CloudWatchLogsFullAccess** policies.\n18. Click **Next**.\n19. Click **Add permissions**.\n\nConfigure CloudTrail in AWS Control Tower\n-----------------------------------------\n\n1. Sign in to the [AWS Management Console](https://aws.amazon.com/console/).\n2. Go to **AWS Control Tower**.\n3. In the search bar, type **CloudTrail** and select it from the **services list**.\n4. Click **Create Trail** to create a new trail.\n\n | **Note:** If you already have a trail, you can modify it to capture Control Tower activities.\n5. Specify Trail Settings:\n\n - **Trail name** : Provide a meaningful name for the trail (for example, **ControlTowerTrail**).\n - **Apply trail to all regions** : Ensure that you select **Yes** for **Apply trail to all regions**.\n - **Management events** : Ensure that **Read/Write** events are set to **All**..\n - Optional: **Data events**: Enable S3 data events and Lambda data events to capture detailed data activity.\n - Optional: **Log file validation**: Enable this to ensure that log files are not tampered with once they're stored.\n6. In the **Event** selector, choose to log **Management events** and **Data events**.\n\nHow to configure CloudTrail\n---------------------------\n\n1. Go to the AWS IAM Console.\n2. Click **Roles**.\n3. Search for the role that **CloudTrail** uses `AWSServiceRoleForCloudTrail` (the role is automatically created when you set up CloudTrail).\n4. In the **Permissions tab** for the role, click **Attach policies**.\n5. Search for `CloudTrailS3DeliveryPolicy`.\n6. Select the checkbox next to the `CloudTrailS3DeliveryPolicy` policy.\n7. Click **Attach policy**.\n8. Go to the AWS **CloudTrail** Console.\n9. In the **Storage location** section, select **S3** as the destination for log files.\n10. Select the **S3 bucket** you created earlier.\n11. Click **Allow** when prompted to grant CloudTrail permission to write logs to your chosen bucket.\n12. Review your settings and click **Create** (or **Save changes** if you're editing an existing trail).\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the AWS Control Tower feed\n----------------------------------------\n\n1. Click the **Amazon Cloud Platform** pack.\n2. Locate the **AWS Control Tower** log type.\n3. Specify the values in the following fields.\n\n - **Source Type**: Amazon SQS V2\n - **Queue Name**: The SQS queue name to read from\n - **S3 URI** : The bucket URI.\n - `s3://your-log-bucket-name/`\n - Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Include files modified in the last number of days. Default is 180 days.\n\n - **SQS Queue Access Key ID**: An account access key that is a 20-character alphanumeric string.\n\n - **SQS Queue Secret Access Key**: An account access key that is a 40-character alphanumeric string.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]