This document explains how to ingest AWS VPC Transit Gateway flow logs to Google Security Operations using CloudWatch Logs and Kinesis Data Firehose. Transit Gateway flow logs capture detailed network traffic metadata across your Transit Gateway attachments. This integration streams these logs into Google SecOps for monitoring and security analytics.
Ingestion labels: the label applied to the events from this feed.
Click Next > Submit.
In the feed Details, click Generate Secret Key and copy the Secret Key.
Copy the Feed HTTPS endpoint URL from Endpoint Information.
In Google Cloud console > APIs & Services > Credentials > Create credentials > API key, create an API key and restrict it to Chronicle API. Copy the API key.
Configure Amazon Kinesis Data Firehose (Direct to Google SecOps)
In the AWS Console, go to Kinesis > Data Firehose > Create delivery stream.
Provide the following configuration details:
Source: Select Direct PUT or other sources.
Destination: Choose HTTP endpoint.
HTTP endpoint URL: Enter ENDPOINT_URL?key=API_KEY (use the Feed HTTPS endpoint URL and the API key from the previous step).
HTTP method: Select POST.
Access key: Paste the Secret Key generated in the feed.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-07 UTC."],[],[],null,["Collect AWS VPC Transit Gateway flow logs \nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest AWS VPC Transit Gateway flow logs to Google Security Operations using CloudWatch Logs and Kinesis Data Firehose. Transit Gateway flow logs capture detailed network traffic metadata across your Transit Gateway attachments. This integration streams these logs into Google SecOps for monitoring and security analytics.\n\nBefore you begin\n\nMake sure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to AWS\n\nEnable Transit Gateway flow logs (to CloudWatch logs)\n\n1. Sign in to the **AWS Console**\n2. Go to **VPC \\\u003e Transit gateways** (or **Transit gateway attachments**).\n3. Select the target resource(s).\n4. Click **Actions \\\u003e Create flow log**.\n5. Provide the following configuration details:\n - **Destination** : Select **Send to CloudWatch Logs**.\n - **Log group** : Choose or create a log group (for example, `/aws/tgw/flowlogs`).\n - **IAM role**: Select a role that can write to CloudWatch Logs.\n - **Maximum aggregation interval** : Choose **1 minute** (recommended) or **10 minutes**.\n - **Log record format** : Select **Default** (or **Custom** if you need additional fields).\n6. Click **Create flow log**.\n\nConfigure a Feed in Google SecOps to Ingest Transit Gateway Flow Logs\n\n1. Go to **SIEM Settings \\\u003e Feeds**.\n2. Click **+ Add New Feed**.\n3. In the **Feed name** field, enter `AWS Transit Gateway Flow Logs --- CloudWatch via Firehose`.\n4. Select **Amazon Data Firehose** as the **Source type**.\n5. Select **Amazon VPC Transit Gateway Flow Logs** as the **Log type**.\n6. Click **Next**.\n7. Specify values for the following input parameters:\n - **Split delimiter** : Optional `n`.\n - **Asset namespace** : the [asset namespace](/chronicle/docs/investigation/asset-namespaces).\n - **Ingestion labels**: the label applied to the events from this feed.\n8. Click **Next \\\u003e Submit**.\n9. In the feed **Details** , click **Generate Secret Key** and copy the **Secret Key**.\n10. Copy the **Feed HTTPS endpoint URL** from **Endpoint Information**.\n11. In **Google Cloud console \\\u003e APIs \\& Services \\\u003e Credentials \\\u003e Create credentials \\\u003e API key** , create an **API key** and **restrict it to Chronicle API** . Copy the **API key**.\n\nConfigure Amazon Kinesis Data Firehose (Direct to Google SecOps)\n\n1. In the **AWS Console** , go to **Kinesis \\\u003e Data Firehose \\\u003e Create delivery stream**.\n2. Provide the following configuration details:\n - **Source** : Select **Direct PUT or other sources**.\n - **Destination** : Choose **HTTP endpoint**.\n - **HTTP endpoint URL** : Enter `ENDPOINT_URL?key=API_KEY` (use the Feed HTTPS endpoint URL and the API key from the previous step).\n - **HTTP method** : Select **POST**.\n - **Access key**: Paste the Secret Key generated in the feed.\n - **Buffering hints** : Set **Buffer size** = **1 MiB** , **Buffer interval** = **60 seconds**.\n - **Compression** : Select **Disabled**.\n - **S3 backup** : Select **Disabled**.\n - Leave **retry** and **logging** settings as default.\n3. Click **Create delivery stream** . (Example name: `cwlogs-to-secops`)\n\nConfigure IAM Permissions and Subscribe the Log Group\n\n1. In the **AWS console** , go to **IAM \\\u003e Policies \\\u003e Create policy \\\u003e JSON tab**.\n2. Enter the following policy:\n\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"firehose:PutRecord\",\n \"firehose:PutRecordBatch\"\n ],\n \"Resource\": \"arn:aws:firehose:\u003cregion\u003e:\u003caccount-id\u003e:deliverystream/cwlogs-to-secops\"\n }\n ]\n }\n\n - Replace `\u003cregion\u003e` and `\u003caccount-id\u003e` with your AWS Region and account ID.\n3. Name the policy `CWLtoFirehoseWrite` and click **Create policy**.\n\n4. Go to **IAM \\\u003e Roles**.\n\n5. Click **Create role**.\n\n6. Select **Custom trust policy** and enter the following:\n\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"logs.\u003cyour-region\u003e.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n }\n\n7. Attach the policy `CWLtoFirehoseWrite` to the role.\n\n8. Name the role `CWLtoFirehoseRole` and click **Create role**.\n\n9. Go to **CloudWatch \\\u003e Logs \\\u003e Log groups**.\n\n10. Select the Transit Gateway **log group** you enabled earlier.\n\n11. Open the **Subscription filters** tab and click **Create**.\n\n12. Choose **Create Amazon Kinesis Data Firehose subscription filter**.\n\n13. Configure the following:\n\n - **Destination** : Delivery stream `cwlogs-to-secops`.\n - **Grant permission** : Role `CWLtoFirehoseRole`.\n - **Filter name** : Enter `all-events`.\n - **Filter pattern**: Leave empty to send all events.\n14. Click **Start streaming**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
