AWS GuardDuty API collector

Overview

AWS GuardDuty logs can be ingested directly via the API, as well as through sending the events to an S3 bucket and setting up an SQS queue to use the S3+SQS Collector. The advantage with ingesting them directly using the API is it’s cheaper and easier, as an S3 bucket and SQS queue aren’t needed.

Enabling GuardDuty access using a cross-account IAM role

To allow the Devo collector to pull in data from your AWS environment, we will need an IAM cross-account role in your account. You will have to provide this role’s ARN to Devo.

Create an IAM policy

This IAM policy will:

• Allow the collector to retrieve the GuardDuty events

• Provide limited access only to specified resources (minimal permissions)

Follow the next steps to create the IAM policy:

Create a cross-account role

Cross-account roles let roles/users from other AWS accounts (in this case, the Devo collector server AWS account) access to assume a role in your account. This sidesteps the need to exchange permanent credentials, as credentials are still stored separately in their respective accounts, and AWS themselves authenticates the identities. For more information, check this document.

Follow these steps to create the cross-account role:

Information to be provided to Devo

At the end of this configuration process, the following tidbits of information will have to be provided to Devo for the collector setup in order to complete the integration:

• Cross-account role ARN (i.e.: arn:aws:iam::<YOUR-ACCOUNT-ID>:role/devo-xs-collector-role) and optionally, ExternalID (if used in cross account role trust policy)

Once this information is provided and Devo confirms there is already a parser available (or finishes creating it) for processing your technology logs, a new Devo collector will be deployed to the Devo’s collector server cluster and it will start consuming data directly from GuardDuty via the API.