Collect AWS VPC Transit Gateway flow logs

Supported in:

This document explains how to ingest AWS VPC Transit Gateway flow logs to Google Security Operations using CloudWatch Logs and Kinesis Data Firehose. Transit Gateway flow logs capture detailed network traffic metadata across your Transit Gateway attachments. This integration streams these logs into Google SecOps for monitoring and security analytics.

Before you begin

Make sure you have the following prerequisites:

  • Google SecOps instance
  • Privileged access to AWS

Enable Transit Gateway flow logs (to CloudWatch logs)

  1. Sign in to the AWS Console
  2. Go to VPC > Transit gateways (or Transit gateway attachments).
  3. Select the target resource(s).
  4. Click Actions > Create flow log.
  5. Provide the following configuration details:
    • Destination: Select Send to CloudWatch Logs.
    • Log group: Choose or create a log group (for example, /aws/tgw/flowlogs).
    • IAM role: Select a role that can write to CloudWatch Logs.
    • Maximum aggregation interval: Choose 1 minute (recommended) or 10 minutes.
    • Log record format: Select Default (or Custom if you need additional fields).
  6. Click Create flow log.

Configure a Feed in Google SecOps to Ingest Transit Gateway Flow Logs

  1. Go to SIEM Settings > Feeds.
  2. Click + Add New Feed.
  3. In the Feed name field, enter AWS Transit Gateway Flow Logs — CloudWatch via Firehose.
  4. Select Amazon Data Firehose as the Source type.
  5. Select Amazon VPC Transit Gateway Flow Logs as the Log type.
  6. Click Next.
  7. Specify values for the following input parameters:
    • Split delimiter: Optional n.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  8. Click Next > Submit.
  9. In the feed Details, click Generate Secret Key and copy the Secret Key.
  10. Copy the Feed HTTPS endpoint URL from Endpoint Information.
  11. In Google Cloud console > APIs & Services > Credentials > Create credentials > API key, create an API key and restrict it to Chronicle API. Copy the API key.

Configure Amazon Kinesis Data Firehose (Direct to Google SecOps)

  1. In the AWS Console, go to Kinesis > Data Firehose > Create delivery stream.
  2. Provide the following configuration details:
    • Source: Select Direct PUT or other sources.
    • Destination: Choose HTTP endpoint.
    • HTTP endpoint URL: Enter ENDPOINT_URL?key=API_KEY (use the Feed HTTPS endpoint URL and the API key from the previous step).
    • HTTP method: Select POST.
    • Access key: Paste the Secret Key generated in the feed.
    • Buffering hints: Set Buffer size = 1 MiB, Buffer interval = 60 seconds.
    • Compression: Select Disabled.
    • S3 backup: Select Disabled.
    • Leave retry and logging settings as default.
  3. Click Create delivery stream. (Example name: cwlogs-to-secops)

Configure IAM Permissions and Subscribe the Log Group

  1. In the AWS console, go to IAM > Policies > Create policy > JSON tab.

  2. Enter the following policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "firehose:PutRecord",
        "firehose:PutRecordBatch"
      ],
      "Resource": "arn:aws:firehose:<region>:<account-id>:deliverystream/cwlogs-to-secops"
    }
  ]
}
    • Replace <region> and <account-id> with your AWS Region and account ID.

  3. Name the policy CWLtoFirehoseWrite and click Create policy.

  4. Go to IAM > Roles.

  5. Click Create role.

  6. Select Custom trust policy and enter the following:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "logs.<your-region>.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  7. Attach the policy CWLtoFirehoseWrite to the role.

  8. Name the role CWLtoFirehoseRole and click Create role.

  9. Go to CloudWatch > Logs > Log groups.

  10. Select the Transit Gateway log group you enabled earlier.

  11. Open the Subscription filters tab and click Create.

  12. Choose Create Amazon Kinesis Data Firehose subscription filter.

  13. Configure the following:

    • Destination: Delivery stream cwlogs-to-secops.
    • Grant permission: Role CWLtoFirehoseRole.
    • Filter name: Enter all-events.
    • Filter pattern: Leave empty to send all events.

  14. Click Start streaming.

Need more help? Get answers from Community members and Google SecOps professionals.