Collect AWS Macie logs

This document explains how to ingest AWS Macie logs to Google Security Operations. AWS Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data. This integration will allow you to send Macie logs to Google SecOps for enhanced analysis and monitoring.

Before You Begin

• Ensure that you have a Google SecOps instance.
• Ensure that you have privileged access to AWS.

Configure Amazon S3 and IAM

1. Create an Amazon S3 bucket following this user guide: Creating a bucket
2. Save the bucket Name and Region for later use.
3. Create a user following this user guide: Creating an IAM user.
4. Select the created User.
5. Select the Security credentials tab.
6. Click Create Access Key in the Access Keys section.
7. Select Third-party service as the Use case.
8. Click Next.
9. Optional: add a description tag.
10. Click Create access key.
11. Click Download CSV file to save the Access Key and Secret Access Key for later use.
12. Click Done.
13. Select the Permissions tab.
14. Click Add permissions in the Permissions policies section.
15. Select Add permissions.
16. Select Attach policies directly.
17. Search for and select the AmazonS3FullAccess policy.
18. Click Next.
19. Click Add permissions.

Optional: Configuring AWS Macie

1. Sign in to the AWS Management Console.
2. In the search bar, type and select Macie from the services list.
3. Click Create job.
4. Create a new bucket or proceed with the existing one.
5. Add Schedule job.
6. Select all Managed Data Identifiers.
7. Skip Select Custom Data Identifiers and click Next.
8. Skip Select Allow list and click Next.
9. Provide a meaningful name and description.
10. Click Next.
11. Review and click Submit.

Configure CloudTrail for AWS Macie

1. Sign in to the AWS Management Console.

2. In the search bar, type and select CloudTrail from the services list.

3. If you want to proceed with a new trail, click Create trail.

4. Provide a Trail name (for example, Macie-Activity-Trail).

5. Select the Enable for all accounts in my organization checkbox.

6. Type the S3 bucket URI created earlier (the format should be: s3://your-log-bucket-name/), or create a new S3 bucket.

7. If SSE-KMS is enabled, provide a name for AWS KMS alias, or choose an existing AWS KMS Key.

8. You can leave the other settings as default.

9. Click Next.

10. Select Management events and Data events under Event Types.

11. Click Next.

12. Review the settings in Review and create.

13. Click Create trail.

14. Optional: if you created a new bucket, continue with the following process:

    1. Go to S3.
    2. Identify and select the newly created log bucket.
    3. Select the folder AWSLogs.
    4. Click Copy S3 URI and save it.

Configure a feed in Google SecOps to ingest AWS Macie logs

1. Go to SIEM Settings > Feeds.
2. Click Add new.
3. In the Feed name field, enter a name for the feed (for example, AWS Macie Logs).
4. Select Amazon S3 as the Source type.
5. Select AWS Macie as the Log type.
6. Click Next.

7. Specify values for the following input parameters:

   • Region: the region where the Amazon S3 bucket is located.
   • S3 URI: the bucket URI.
     • s3://your-log-bucket-name/
       • Replace your-log-bucket-name with the actual name of the bucket.
   • URI is a: select Directory or Directory which includes subdirectories.

   • Source deletion options: select the deletion option according to your preference.

   • Access Key ID: the User access key with access to the S3 bucket.

   • Secret Access Key: the User secret key with access to the S3 bucket.

   • Asset namespace: the asset namespace.

   • Ingestion labels: the label to be applied to the events from this feed.

8. Click Next.

9. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Changes

2022-08-08

• Newly created parser.

Need more help? Get answers from Community members and Google SecOps professionals.