Connect to AWS for log ingestion

The Security Command Center curated detections, threat investigation, and Cloud Infrastructure Entitlement Management (CIEM) capabilities for Amazon Web Services (AWS) require the ingestion of AWS logs using the Security Operations console ingestion pipeline. The AWS log types required for ingestion differ based on what you are configuring:

  • CIEM requires data from the AWS CloudTrail log type.
  • Curated detections require data from multiple AWS log types.

To learn more about the different AWS log types, see Supported devices and log types.

Curated detections

For curated detections, each AWS rule set requires certain data to function as designed, including one or more of the following:

  • AWS CloudTrail logs
  • AWS GuardDuty
  • AWS context data about hosts, services, VPC, and users

To use these curated detections, you must ingest AWS data to Google Security Operations, and then enable the curated detection rules. For information about how to configure the ingestion of the AWS data, see Ingest AWS logs into Google Security Operations in the Google SecOps documentation. For information about how to enable curated detection rules, see Use curated detections to identify threats in the Google SecOps documentation.

Configure AWS log ingestion for CIEM

To generate findings for your AWS environment, the Cloud Infrastructure Entitlement Management (CIEM) capabilities require data from AWS CloudTrail logs.

To use CIEM, do the following when configuring AWS log ingestion.

  1. When setting up your AWS CloudTrail, complete the following configuration steps:

    1. Create an organization level trail that pulls log data from across all the AWS accounts in your environment.
    2. Set the S3 bucket you choose for CIEM to log data events and management events from all regions. In addition, select all the applicable services you want to ingest data events from. Without this event data CIEM can't generate accurate findings for AWS.
  2. When setting up a feed to ingest AWS logs in the Security Operations console, complete the following configuration steps:

    1. Create a feed that ingests all account logs from the S3 bucket for all regions.
    2. Set the feed Ingestion label key-value pair to CIEM and TRUE.

If you don't configure log ingestion correctly, the CIEM detection service might display incorrect findings. In addition, if there are issues with your CloudTrail configuration, Security Command Center displays the CIEM AWS CloudTrail configuration error.

To configure log ingestion, see Ingest AWS logs into Google Security Operations in the Google SecOps documentation.

For full instructions on enabling CIEM, see Enable the CIEM detection service for AWS. For more information about CIEM features, see Overview of Cloud Infrastructure Entitlement Management.