Versions Compared

Version Old Version 19 New Version 20
Changes made by

Laszlo Frazer

Virginia Camuñas Núñez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel3
outlinefalse
typeflat
separatorbrackets
printabletrue

Purpose

To use Devo to secure your AWS data, you

...

need to authorize Devo to receive the information.

After completing these steps, you will have an S3 Bucket, SQS, SQS Access Policy, IAM Policy, Role, and Trust Policy in your AWS account.

...

Info

Note that data will be available to Devo and your policies will follow AWS recommended best practices.

Permissions

These AWS account permissions are required

...

.

  • s3:CreateBucket

  • s3:PutObject

  • s3:PutBucketNotification

  • sqs:CreateQueue

  • sqs:AddPermission

  • sqs:GetQueueUrl

  • sqs:SetQueueAttributes

  • iam:CreatePolicy

  • iam:CreateRole

  • iam:AttachRolePolicy

  • iam:UpdateAssumeRolePolicy

  • logs:CreateLogDelivery

  • logs:DeleteLogDelivery

Info

Please visit the vendor documentation for more needed details.

Authorize it

Create an Information List

Rw ui steps macro
Rw step

  1. Create a list of this information.

    1. AWS Partition. For example, aws.

    2. AWS Region. For example, us-east-1.

    3. Your AWS Account. For example, 012345678901.

    4. S3 Principal Service endpoint. This is almost always s3.amazonaws.com but GovCloud FIPS is a known exception.

    5. S3 bucket name. You can make one up, such as BucketCloudTrailDevo if you are authorizing access to CloudTrail data.

    6. SQS name. You can make one up, such as SQSCloudTrailDevo.

    7. IAM policy name. Make this the same as the SQS name.

    8. Role name. Make this the same as the SQS name.

    9. External ID. Get the External ID from the Cloud Collector App. Select Keychains.

      image-20250112-235706.pngImage Modified

      The external ID is your Devo domain name and default sender’s syslog event load balancer, separated by a .. For example, if your Devo domain name is child@parent and you use the us.elb.relay.logtrust.net event load balancer, then your external ID is child@parent.us.elb.relay.logtrust.net.

    10. Collector name. You can make one up. If your Devo domain is child@parent, the collector name could be child-parent-sqs-CloudTrailDevo.

Create S3 Bucket

Rw ui steps macro
Rw step

Create an S3 bucket using the default settings. Use a separate bucket for each log format, if possible.

image-20250111-030448.pngImage Modified

Create SQS

Rw ui expands macro
Rw step

  1. Create a standard SQS queue named devo_deadletter_queue. Use the default settings.

Screenshot 2025-01-10 at 22.09.41.pngImage Modified

  1. Create a second standard SQS queue using your queue name. This will be the queue used to send data to Devo.

  2. Select the maximum retention period.

    image-20250111-031206.pngImage Modified

Set SQS Access Policy

Rw ui steps macro
Rw step

  1. Set the following SQS access policy, replacing the values enclosed in < >.

image-20250115-163822.pngImage Modified
Code Block
{
  "Version": "2012-10-17",
  "Id": "<ENSURE_THE_ID_IS_UNIQUE>",
  "Statement": [
    {
      "Sid": "AllowS3toSendMessages",
      "Effect": "Allow",
      "Principal": {
        "Service": "<S3_PRINCIPAL_SERVICE_ENDPOINT>"
      },
      "Action": [
        "SQS:SendMessage"
      ],
      "Resource": "arn:<PARTITION>:sqs:<REGION>:<YOUR_AWS_ACCOUNT_NUMBER>:<QUEUE_NAME>",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:<PARTITION>:s3:*:*:<BUCKET_NAME>"
        },
        "StringEquals": {
          "aws:SourceAccount": "<YOUR_AWS_ACCOUNT_NUMBER>"
        }
      }
    }
  ]
}

  1. An example resource is arn:aws:sqs:us-east-1:0123456789:devologs.

  2. Enable the dead-letter queue named devo_deadletter_queue.

    image-20250111-032213.pngImage Modified

  3. Keep the defaults for the other SQS settings.

  4. Return to the S3 Bucket

...

  1. Properties.

    image-20250111-033044.pngImage Modified

  2. Select “Create event notification.”

    image-20250111-033211.pngImage Modified

  3. Enable “All object create events.“

    image-20250111-033834.pngImage Modified

  4. Select the SQS queue.

    image-20250111-034207.pngImage Modified

IAM Policy

Rw ui steps macro
Rw step

  1. Create an IAM Policy.

image-20250111-034338.pngImage Modified

  1. Add this JSON Policy.

image-20250111-034507.pngImage Modified

Code Block
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "sqs:DeleteMessage",
        "sqs:GetQueueAttributes",
        "sqs:ChangeMessageVisibility",
        "sqs:ReceiveMessage"
      ],
      "Resource": [
        "arn:<PARTITION>:sqs:<REGION>:<YOUR_AWS_ACCOUNT_NUMBER>:<QUEUE_NAME>",
        "arn:<PARTITION>:s3:::<BUCKET_NAME>/*"
      ]
    }
  ]
}

  1. Click Next.

  2. Name the policy.

  3. Create the policy.

Role

Rw ui steps macro
Rw step

Create a role.

image-20250113-021110.pngImage Modified

Select Trust Policy

Rw ui expands macro
Rw step

  1. Select Custom trust policy.

image-20250115-184652.pngImage Modified

  1. Set the trust policy.

    1. If your partition is aws:

Code Block
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::476382791543:role/devo-xaccount-cc"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<EXTERNAL_ID>"
        }
      }
    }
  ]
}

b. If your partition is aws-us-gov:

Code Block
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws-us-gov:iam::210253767148:role/devo-xaccount-cc"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<EXTERNAL_ID>"
        }
      }
    }
  ]
}

  1. Add the permissions policy you already created to the role.

image-20250115-183347.pngImage Modified

  1. Name the role.

image-20250115-183841.pngImage Modified

Once the authorization process is complete, you can create a Devo collector and add data to the S3 Bucket.


Validate the Authorization

If there is no data being delivered to the S3 bucket yet and the collector is running, you may validate authorization by uploading an empty file to the bucket. In devo.collectors.out the collector will log

Number of messages in the queue: 0 and Number of messages in flight 1

followed by

the file size is 0 Bytes and has 1 to process

indicating correct authorization.