Collect AWS Session Manager logs

Supported in:

This document explains how to ingest AWS Session Manager logs to Google Security Operations. AWS Session Manager provides secure and auditable access to Amazon EC2 instances and on-premises servers. By integrating its logs into Google SecOps, you can enhance your security posture and track remote access events.

Before You Begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to AWS.

Configure AWS IAM and S3

  1. Create an Amazon S3 bucket following this user guide: Creating a bucket
  2. Save the bucket Name and Region for later use.
  3. Create a user following this user guide: Creating an IAM user.
  4. Select the created User.
  5. Select the Security credentials tab.
  6. Click Create Access Key in the Access Keys section.
  7. Select Third-party service as the Use case.
  8. Click Next.
  9. Optional: add a description tag.
  10. Click Create access key.
  11. Click Download CSV file to save the Access Key and Secret Access Key for later use.
  12. Click Done.
  13. Select the Permissions tab.
  14. Click Add permissions in the Permissions policies section.
  15. Select Add permissions.
  16. Select Attach policies directly.
  17. Search for and select the AmazonS3FullAccess policy.
  18. Click Next.
  19. Click Add permissions.

Configure AWS Session Manager to Save Logs in S3

  1. Go to the AWS Systems Manager console.
  2. In the navigation pane, select Session Manager.
  3. Click the Preferences tab.
  4. Click Edit.
  5. Under S3 logging, select the Enable checkbox.
  6. Deselect the Allow only encrypted S3 buckets checkbox.
  7. Select an Amazon S3 bucket that has already been created in your account to store session log data.
  8. Enter the name of an Amazon S3 bucket that has already been created in your account to store session log data.
  9. Click Save.

Configure a feed in Google SecOps to ingest AWS Session Manager logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, AWS Session Manager Logs).
  4. Select Amazon S3 as the Source type.
  5. Select AWS Session Manager as the Log type.
  6. Click Next.

  7. Specify values for the following input parameters:

    • Region: the region where the Amazon S3 bucket is located.
    • S3 URI: the bucket URI.
      • s3://your-log-bucket-name/
        • Replace your-log-bucket-name with the actual name of the bucket.
    • URI is a: select Directory or Directory which includes subdirectories.

    • Source deletion options: select the deletion option according to your preference.

    • Access Key ID: the User access key with access to the S3 bucket.

    • Secret Access Key: the User secret key with access to the S3 bucket.

    • Asset namespace: the asset namespace.

    • Ingestion labels: the label to be applied to the events from this feed.

  8. Click Next.

  9. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM Mapping Table

Log Field UDM Mapping Logic
--cid metadata.description Part of the description field when present in the log
--collector.filesystem.ignored-mount-points metadata.description Part of the description field when present in the log
--collector.vmstat.fields metadata.description Part of the description field when present in the log
--message-log metadata.description Part of the description field when present in the log
--name metadata.description Part of the description field when present in the log
--net metadata.description Part of the description field when present in the log
--path.procfs metadata.description Part of the description field when present in the log
--path.rootfs metadata.description Part of the description field when present in the log
--path.sysfs metadata.description Part of the description field when present in the log
-v /:/rootfs:ro metadata.description Part of the description field when present in the log
-v /proc:/host/proc metadata.description Part of the description field when present in the log
-v /sys:/host/sys metadata.description Part of the description field when present in the log
CID metadata.description Part of the description field when present in the log
ERROR security_result.severity Extracted from the log message using grok pattern matching.
falconctl metadata.description Part of the description field when present in the log
ip-1-2-4-2 principal.ip Extracted from the log message using grok pattern matching and converted to a standard IP address format.
ip-1-2-8-6 principal.ip Extracted from the log message using grok pattern matching and converted to a standard IP address format.
java target.process.command_line Extracted from the log message using grok pattern matching.
Jun13 metadata.event_timestamp.seconds Part of the timestamp field when present in the log, combined with month_date and time_stamp fields.
[kworker/u16:8-kverityd] target.process.command_line Extracted from the log message using grok pattern matching.
root principal.user.userid Extracted from the log message using grok pattern matching.
metadata.event_type Determined based on the presence and values of other fields:
- "STATUS_UPDATE" if src_ip is present.
- "NETWORK_CONNECTION" if both src_ip and dest_ip are present.
- "USER_UNCATEGORIZED" if user_id is present.
- "GENERIC_EVENT" otherwise.
metadata.log_type Set to "AWS_SESSION_MANAGER".
metadata.product_name Set to "AWS Session Manager".
metadata.vendor_name Set to "Amazon".
target.process.pid Extracted from the log message using grok pattern matching.

Changes

2023-06-14

  • Newly created parser.

Need more help? Get answers from Community members and Google SecOps professionals.