Versions Compared

Version Old Version 13 New Version 14
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

...

Amazon Web Services (AWS) provides on-demand cloud computing platforms and APIs to individuals and companies. Each available AWS service generates information related to different aspects of its functionality. The available data types include service events, audit events, metrics, and logs.

You can use the AWS collector to retrieve data from the AWS APIs and send it to your Devo domain. Once the gathered information arrives at Devo, it will be processed and included in different tables in the associated Devo domain so users can analyze it.

Data source description

From the monitoring point of view, AWS generates the following types of information:

...

Expand
titleUsing a user account and local policies

Depending on which source types are collected, one or more of the policies described above will be used.

Once the required policies are created, each one must be associated with an IAM user. To create it, visit the AWS Console and log in with a user account with enough permissions to create and access AWS structures:

  1. Go to IAM → Users.

  2. Click the Add users button.

  3. Enter the required value in the field User name.

  4. Enable the checkbox Access key - Programmatic access.

  5. Click the Next: Permissions button.

  6. Choose the box with the text Attach existing policies directly.

  7. Use the search box to locate all your required policies and check the boxes at the left of each policy name.

  8. Click Next: Tags. Optionally, add any desired tags to the new user.

  9. Click Next: Review.

  10. Click the Create user button.

  11. A new Access Key ID and Secret Access Key will be created. You can click the Download .csv button to download a copy to your local or you can copy the values shown on the screen. These will be used as the AWS collector credentials.

  12. Finally, click the Close button.

Expand
titleAssuming a role (self-account)

It is a best practice to assume roles that are granted just the required privileges to perform an action. If the customer does not want to use their own AWS user to perform these actions required by the collector (because it has far more privileges than required), they can use this option. Note that this option requires the use of AWS account credentials. To avoid sharing those credentials, check the Cross Account option below.

The customer must attach the required policies in AWS to the role that is going to be assumed. For more information about the AssumeRole feature, check the AWS documentation.

Regarding configuration, these are the fields required to use this way of authentication:

Code Block
...,
"credentials":{
  "access_key": "<CUSTOMER_AWS_ACCOUNT_ACCESS_KEY>",
  "access_secret": "<CUSTOMER_AWS_ACCOUNT_SECRET_ACCESS_KEY>",
  "base_assume_role": "arn:aws:iam::<CUSTOMER_AWS_ACCOUNT_ID>:role/<ROLE_TO_BE_ASSUMED>"
}
...,

  • access_key is the Access Key ID provided by AWS, during the user creation process, to those users that ask for programmatic access.

  • access_secret is the Secret Access Key provided by AWS, during the user creation process, to those users that ask for programmatic access. This value is shown once, so it must be saved upon creation.

  • base_assume_role is the ARN of the role that is going to be assumed by the user authenticated with the parameters above, access_key and access_secret. This role has to be properly granted to allow the actions the collector is going to perform.

Expand

If the customer does not want to share their credentials with Devo, there is another way to run the collector. It is called Cross Account and AssumeRole functionality should be used in this case and it is explained step by step in the next link: https://docs.devo.com/space/latest/94655615/AWS (S3%2BSQS) collector#Enabling-SQS-and-S3-access-using-a-cross-account-IAM-role

Besides, some parameters must be added to the configuration file (config.json or equivalent config.yaml for on-prem). In the credentials section, instead of sharing access_key and access_secret, these other parameters must be used:

Code Block
...,
"credentials":{
  "base_assume_role": "arn:aws:iam::<BASE_SYSTEM_AWS_ACCOUNT_ID>:role/<BASE_SYSTEM_ROLE>",
  "target_assume_role": "arn:aws:iam::<CUSTOMER_AWS_ACCOUNT_ID>:role/<CUSTOMER_ROLE_TO_BE_ASSUMED>",
  "assume_role_external_id": "<OPTIONAL__ANY_STRING_YOU_WANT>"
}
...,

  • base_assume_role is the ARN of the role that is going to be assumed by the profile bound to the machine/instance where the collector is running. As explained in the link above, this role is going to be trusted by the customer’s AWS account, so it can assume the role in the target account. That role assumed from the customer’s account will allow the collection of data without the need of sharing the credentials. This role already exists in Devo’s AWS account and to deploy the collector on Devo’s Collector Server its value must be arn:aws:iam::837131528613:role/devo-xaccount-cs-role.

  • target_assume_role is the ARN of the role in the customer’s AWS account. That role will allow the collector to have access to the resources specified in that role. To keep your data secure, please, use policies that grant just the necessary permissions.

  • assume_role_external_id is an (optional) parameter to add more security to this Cross Account operation. This value should be a string added in the request to assume the customer’s role.

Anchor
service-events
service-events
Service events

...

Devo collector service name

Complete service name

CloudWatch filter used

CloudTrail source filter used

Metrics namespace used

Description

Service events
(type: events)

Audit events
(type: audits)

Metrics
(type: metrics)

Logs
(type: logs)

service-events-all

All service events

{"account":["<account_id>"]}

N/A

N/A

This service will collect all service events information available in the CloudWatch service, no matter the source defined in the event.

X

X

X

audit-events-all

All audit events

N/A

all_sources

N/A

This service will collect all audit events information available in the CloudTrail service, no matter the source defined in the event.

X

X

X

metrics-all

All metrics

N/A

N/A

all_metrics_namespaces

This service will collect all metric information from CloudWatch service. Metrics from all the available metric namespaces will be retrieved.

X

X

X

<cwl_custom>

CloudWatch Logs

N/A

N/A

N/A

This service will collect the different “Log Streams” that are part of a “Log Group” from the CloudWatch Logs service. Since it is common to have more than one “Log Group” defined, this will require creating one <cwl_custom> entry per “Log Group”.

X

X

X

non-cloudwatch-logs

Non-CloudWatch Logs

N/A

N/A

N/A

This service will collect data from the following services VPC Flow Logs and CloudFront Logs.

X

X

X

sqs-cloudwatch-consumer

Service events generated by CloudWatch Events service

Check more info here.

N/A

N/A

This service will collect all Security Hub findings that have been sent to CloudWatch, no matter the source defined in the finding.

X

X

X

Info

In the service-events-all collector service, the <account_id> string is automatically replaced with the real value.

...