이 문서에서는 Google Security Operations 피드를 설정하여 AWS S3 서버 액세스 로그를 수집하는 방법을 설명합니다. 파서는 grok 패턴을 사용하여 필드를 추출하고, 잠재적인 JSON 입력을 처리하고, 추출된 필드를 UDM에 매핑합니다. 정확한 UDM 표현을 보장하기 위해 특정 필드의 존재 및 값을 기반으로 데이터 변환, 유형 변환, 조건부 로직을 실행합니다.
시작하기 전에
다음 기본 요건이 충족되었는지 확인합니다.
Google SecOps 인스턴스
AWS에 대한 액세스 권한
AWS S3 서버 액세스 로깅을 구성하는 방법
Google SecOps는 Amazon SQS를 통한 Amazon S3를 사용한 로그 수집을 지원합니다.
AWS 관리 콘솔에 로그인합니다.
Amazon S3 콘솔에 액세스합니다.
Amazon S3 > 버킷으로 이동합니다.
기존 버킷을 선택하거나 새 버킷을 만듭니다.
속성을 클릭합니다.
서버 액세스 로깅 섹션에서 수정을 클릭합니다.
사용 설정을 선택합니다.
타겟 버킷 필드에 로그 레코드 객체를 전송할 새 버킷의 이름을 입력하거나 기존 버킷을 타겟으로 선택합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eThis document provides instructions on how to collect AWS S3 server access logs and ingest them into Google SecOps via Amazon S3 or Amazon SQS.\u003c/p\u003e\n"],["\u003cp\u003eThe setup involves configuring AWS S3 server access logging and setting up a Google SecOps feed to collect and parse the logs.\u003c/p\u003e\n"],["\u003cp\u003eThe parser extracts data from logs, handles JSON input, and maps fields to the UDM (Unified Data Model), including data transformations and type conversions.\u003c/p\u003e\n"],["\u003cp\u003eSpecific steps include enabling server access logging in AWS, creating an SQS queue for the S3 bucket, and configuring the Google SecOps feed with the necessary AWS credentials and details.\u003c/p\u003e\n"],["\u003cp\u003eThe document includes a UDM mapping table that outlines how raw log fields are mapped to specific UDM fields, complete with logic for each mapping and information about the parser logic.\u003c/p\u003e\n"]]],[],null,["# Collect AWS S3 server access logs\n=================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to collect AWS S3 server access logs by setting up a Google Security Operations feed. The parser extracts fields using grok patterns, handles potential JSON input, and maps the extracted fields to the UDM. It performs data transformations, type conversions, and conditional logic based on the presence and values of specific fields to ensure accurate UDM representation.\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to AWS\n\nHow to configure AWS S3 server access logging\n---------------------------------------------\n\nGoogle SecOps supports log collection using Amazon S3 through Amazon SQS.\n\n1. Sign in to the **AWS Management** console.\n2. Access the Amazon S3 console.\n3. Go to **Amazon S3 \\\u003e Buckets**.\n4. Select an existing bucket or create a new one.\n5. Click **Properties**.\n6. In the **Server access logging** section, click **Edit**.\n7. Select **Enable**.\n8. In the **Target bucket** field, enter a name for the new bucket to send the log record objects to or select an existing bucket as the target.\n\n| **Note:** Your target bucket cannot have server access logging enabled. You can deliver logs to any bucket you own in the same region as the source bucket. However, it is not recommended to use the original source bucket.\n\n1. Click **Save changes**.\n2. To create the SQS queue for the S3 bucket, configure an Amazon SQS instance with the S3 storage. For more information, see [Configuring a bucket for notifications (SNS topic or SQS queue)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html).\n\n| **Note:** IAM user and KMS key policies are required for Amazon S3, AWS KMS, and Amazon SQS.\n| **Note:** For more information, see [Using IAM policies with AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html).\n\nBased on the service and region, identify the endpoints for connectivity by referring to the following AWS documentation:\n\n- For information about any logging source, see [AWS Identity and Access Management endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/iam-service.html).\n- For information about S3 logging sources, see [Amazon Simple Storage Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/s3.html).\n- For information about SQS logging sources, see [Amazon Simple Queue Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/sqs-service.html).\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the AWS S3 Service Access feed\n--------------------------------------------\n\n1. Click the **Amazon Cloud Platform** pack.\n2. Locate the **AWS S3 Service Access** log type.\n3. Google SecOps supports log collection using an access key ID and secret method. To create the access key ID and secret, see [Configure tool authentication with AWS](https://docs.aws.amazon.com/powershell/latest/userguide/creds-idc.html).\n4. Specify the values in the following fields.\n\n - **Source Type**: Amazon SQS V2\n - **Queue Name**: The SQS queue name to read from\n - **S3 URI** : The bucket URI.\n - `s3://your-log-bucket-name/`\n - Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Include files modified in the last number of days. Default is 180 days.\n\n - **SQS Queue Access Key ID**: An account access key that is a 20-character alphanumeric string.\n\n - **SQS Queue Secret Access Key**: An account access key that is a 40-character alphanumeric string.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n5. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]