[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eThis guide outlines how to ingest AWS Key Management Service (KMS) logs into Google Security Operations for monitoring and auditing encryption key usage.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves configuring an Amazon S3 bucket and IAM user in AWS, creating a CloudTrail trail for AWS KMS, and setting up a feed in Google SecOps to pull the AWS logs from the S3 bucket.\u003c/p\u003e\n"],["\u003cp\u003eTo set up a feed in Google SecOps, you will need the S3 bucket details (region and URI), along with the access key ID and secret access key of the AWS IAM user with S3 permissions.\u003c/p\u003e\n"],["\u003cp\u003eThe data from the AWS KMS logs are mapped to UDM fields, such as principal location, security result details, product event type, resource identifiers, and user information, among others.\u003c/p\u003e\n"],["\u003cp\u003eThis feature is covered by the Pre-GA Offerings Terms of Google Security Operations Service Specific Terms and may have limited support.\u003c/p\u003e\n"]]],[],null,["# Collect AWS Key Management Service logs\n=======================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest AWS Key Management Service (KMS) logs to Google Security Operations. AWS KMS is a fully managed service that lets you to create and control encryption keys used to encrypt your data. This integration helps in monitoring and auditing the usage of encryption keys.\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to AWS\n\nConfigure Amazon S3 and IAM\n---------------------------\n\n1. Create an **Amazon S3 bucket** following this user guide: [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html)\n2. Save the bucket **Name** and **Region** for later use.\n3. Create a user following this user guide: [Creating an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console).\n4. Select the created **User**.\n5. Select the **Security credentials** tab.\n6. Click **Create Access Key** in the **Access Keys** section.\n7. Select **Third-party service** as the **Use case**.\n8. Click **Next**.\n9. Optional: add a description tag.\n10. Click **Create access key**.\n11. Click **Download CSV file** to save the **Access Key** and **Secret Access Key** for later use.\n12. Click **Done**.\n13. Select the **Permissions** tab.\n14. Click **Add permissions** in the **Permissions policies** section.\n15. Select **Add permissions**.\n16. Select **Attach policies directly**.\n17. Search for and select the **AmazonS3FullAccess** policy.\n18. Click **Next**.\n19. Click **Add permissions**.\n\nHow to configure CloudTrail for AWS KMS\n---------------------------------------\n\n1. Sign in to the [AWS Management Console](https://aws.amazon.com/console/).\n2. In the search bar, type and select **CloudTrail** from the services list.\n3. Click **Create trail**.\n4. Provide a **Trail name** (for example, **KMS-Activity-Trail**).\n5. Select the **Enable for all accounts in my organization** checkbox.\n6. Type the S3 bucket URI created earlier (the format should be: `s3://your-log-bucket-name/`), or create a new S3 bucket.\n7. If SSE-KMS enabled, provide a name for **AWS KMS alias** , or choose an **existing AWS KMS Key**.\n8. You can leave the other settings as default.\n9. Click **Next**.\n10. Select **Management events** and **Data events** under **Event Types**.\n11. Click **Next**.\n12. Review the settings in **Review and create**.\n13. Click **Create trail**.\n14. Optional: if you created a new bucket, continue with the following process:\n 1. Go to **S3**.\n 2. Identify and select the newly created log bucket.\n 3. Select the folder **AWSLogs**.\n 4. Click **Copy S3 URI** and save it.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the AWS Key Management Service feed\n-------------------------------------------------\n\n1. Click the **Amazon Cloud Platform** pack.\n2. Locate the **AWS Key Management Service** log type.\n3. Specify the values in the following fields.\n\n - **Source Type**: Amazon SQS V2\n - **Queue Name**: The SQS queue name to read from\n - **S3 URI** : The bucket URI.\n - `s3://your-log-bucket-name/`\n - Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Include files modified in the last number of days. Default is 180 days.\n\n - **SQS Queue Access Key ID**: An account access key that is a 20-character alphanumeric string.\n\n - **SQS Queue Secret Access Key**: An account access key that is a 40-character alphanumeric string.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
