Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 22 Next »

Purpose

To use Devo to secure your AWS data, you need to authorize Devo to receive the information.

After completing these steps, you will have an S3 Bucket, SQS, SQS Access Policy, IAM Policy, Role, and Trust Policy in your AWS account.

Note that data will be available to Devo and your policies will follow AWS recommended best practices.

Permissions

These AWS account permissions are required.

  • s3:CreateBucket

  • s3:PutObject

  • s3:PutBucketNotification

  • sqs:CreateQueue

  • sqs:AddPermission

  • sqs:GetQueueUrl

  • sqs:SetQueueAttributes

  • iam:CreatePolicy

  • iam:CreateRole

  • iam:AttachRolePolicy

  • iam:UpdateAssumeRolePolicy

  • logs:CreateLogDelivery

  • logs:DeleteLogDelivery

Please visit the vendor documentation for more needed details.

Authorize it

Create an Information List

  1. Create a list of this information.

    1. AWS Partition. For example, aws.

    2. AWS Region. For example, us-east-1.

    3. Your AWS Account. For example, 012345678901.

    4. S3 Principal Service endpoint. This is almost always s3.amazonaws.com but GovCloud FIPS is a known exception.

    5. S3 bucket name. You can make one up, such as BucketCloudTrailDevo if you are authorizing access to CloudTrail data.

    6. SQS name. You can make one up, such as SQSCloudTrailDevo.

    7. IAM policy name. Make this the same as the SQS name.

    8. Role name. Make this the same as the SQS name.

    9. External ID. Get the External ID from the Cloud Collector App. Select Keychains.

      image-20250112-235706.png

      The external ID is your Devo domain name and default sender’s syslog event load balancer, separated by a .. For example, if your Devo domain name is child@parent and you use the us.elb.relay.logtrust.net event load balancer, then your external ID is child@parent.us.elb.relay.logtrust.net.

    10. Collector name. You can make one up. If your Devo domain is child@parent, the collector name could be child-parent-sqs-CloudTrailDevo.

Create S3 Bucket

  1. Create an S3 bucket using the default settings. Use a separate bucket for each log format, if possible.

image-20250111-030448.png

Create SQS

  1. Create a standard SQS queue named devo_deadletter_queue. Use the default settings.

Screenshot 2025-01-10 at 22.09.41.png

  1. Create a second standard SQS queue using your queue name. This will be the queue used to send data to Devo.

  2. Select the maximum retention period.

    image-20250111-031206.png

Set SQS Access Policy

  1. Set the following SQS access policy, replacing the values enclosed in < >.

image-20250115-163822.png
{
  "Version": "2012-10-17",
  "Id": "<ENSURE_THE_ID_IS_UNIQUE>",
  "Statement": [
    {
      "Sid": "AllowS3toSendMessages",
      "Effect": "Allow",
      "Principal": {
        "Service": "<S3_PRINCIPAL_SERVICE_ENDPOINT>"
      },
      "Action": [
        "SQS:SendMessage"
      ],
      "Resource": "arn:<PARTITION>:sqs:<REGION>:<YOUR_AWS_ACCOUNT_NUMBER>:<QUEUE_NAME>",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:<PARTITION>:s3:*:*:<BUCKET_NAME>"
        },
        "StringEquals": {
          "aws:SourceAccount": "<YOUR_AWS_ACCOUNT_NUMBER>"
        }
      }
    }
  ]
}

  1. An example resource is arn:aws:sqs:us-east-1:0123456789:devologs.

  2. Enable the dead-letter queue named devo_deadletter_queue.

    image-20250111-032213.png

  3. Keep the defaults for the other SQS settings.

  4. Return to the S3 Bucket Properties.

    image-20250111-033044.png

  5. Select “Create event notification.”

    image-20250111-033211.png

  6. Enable “All object create events.“

    image-20250111-033834.png

  7. Select the SQS queue.

    image-20250111-034207.png

IAM Policy

  1. Create an IAM Policy.

image-20250111-034338.png

  1. Add this JSON Policy.

image-20250111-034507.png

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "sqs:DeleteMessage",
        "sqs:GetQueueAttributes",
        "sqs:ChangeMessageVisibility",
        "sqs:ReceiveMessage"
      ],
      "Resource": [
        "arn:<PARTITION>:sqs:<REGION>:<YOUR_AWS_ACCOUNT_NUMBER>:<QUEUE_NAME>",
        "arn:<PARTITION>:s3:::<BUCKET_NAME>/*"
      ]
    }
  ]
}

  1. Click Next.

  2. Name the policy.

  3. Create the policy.

Role

  1. Create a role.

image-20250113-021110.png

Select Trust Policy

  1. Select Custom trust policy.

image-20250115-184652.png

  1. Set the trust policy.

    1. If your partition is aws:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::476382791543:role/devo-xaccount-cc"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<EXTERNAL_ID>"
        }
      }
    }
  ]
}

b. If your partition is aws-us-gov:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws-us-gov:iam::210253767148:role/devo-xaccount-cc"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<EXTERNAL_ID>"
        }
      }
    }
  ]
}

  1. Add the permissions policy you already created to the role.

image-20250115-183347.png

  1. Name the role.

image-20250115-183841.png

Once the authorization process is complete, you can create a Devo collector and add data to the S3 Bucket.


Validate the Authorization

If there is no data being delivered to the S3 bucket yet and the collector is running, you may validate authorization by uploading an empty file to the bucket. In devo.collectors.out the collector will log

Number of messages in the queue: 0 and Number of messages in flight 1

followed by

the file size is 0 Bytes and has 1 to process

indicating correct authorization.

  • No labels