AWS collector
Overview
Amazon Web Services (AWS) provides on-demand cloud computing platforms and APIs to individual companies. Each available AWS service generates information related to different aspects of its functionality. The available data types include service events, audit events, metrics, and logs.
You can use the AWS collector to retrieve data from the AWS APIs and send it to your Devo domain. Once the gathered information arrives at Devo, it will be processed and included in different tables in the associated Devo domain so users can analyze it.
To run this collector, there are some configurations detailed below that you need to consider:
Configuration | Details |
---|---|
Credentials | There are several available options to define credentials. |
Service events | All the service events that are generated on AWS are managed by Cloudwatch. However, Devo’s AWS collector offers two different services that collect Cloudwatch events:
|
Audit events | For the S3+SQS approach (setting types as audits_s3) some previous configuration is required. |
Logs | Logs can be collected from different services. Depending on the type, some previous setups must be applied on AWS. |
More information
Refer to the Vendor setup section to know more about these configurations.
If you need to pull global service events created by CloudFront, IAM and AWS STS, US regions will need to be enabled within the collector. For more information, see Viewing CloudTrail events with the AWS CLI and Using update-trail.
Devo collector features
Feature | Details |
---|---|
Allow parallel downloading ( |
|
Running environments |
|
Populated Devo events |
|
Flattening preprocessing |
|
Data sources
Data source | Description | API endpoint | Collector service name | Devo table | Available from release |
---|---|---|---|---|---|
Service events | The different available services in AWS usually generate some information related to their internal behaviors, such as "a virtual machine has been started", "a new file has been created in an S3 bucket" or "an AWS lambda function has been invoked" and this kind of event can be triggered by no human interaction. The service events are managed by the The findings detected by |
| Generic events:
Security Hub events:
| Generic events:
Security Hub events:
|
|
Audit events | This kind of event is more specific because they are triggered by a human interaction no matter the different ways used: API, web interaction, or even the CLI console. The audit events are managed by the There are two ways to read Audit events:
| Via API:
Via S3+SQS:
|
|
|
|
Metrics | According to the standard definition, this kind of information is usually generated at the same moment is requested because it is usually a query about the status of a service (all things inside AWS are considered services). AWS makes something slightly different because what is doing is to generate metrics information every N time slots, such as 1 min, 5 min, 30 min, 1h, etc., even if no one makes a request (also is possible to have information every X seconds but this would require extra costs). The metrics are managed by the |
ListMetrics - Amazon CloudWatch After listing the metrics, GetMetricData - Amazon CloudWatch GetMetricStatistics - Amazon CloudWatch
|
|
|
|
Logs | Logs could be defined as information with a non-fixed structure that is sent to one of the available “logging” services, these services are There are some very customizable services, such as There are also some other services that can generate logs with a fixed structure, such as |
| Logs can be:
|
|
|
AWS GuardDuty | AWS GuardDuty is a managed threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. Data Sources: GuardDuty ingests and processes data from AWS CloudTrail logs, VPC Flow Logs, and DNS logs Findings: When a potential threat is detected, GuardDuty generates a finding. These findings provide details about the activity, including the affected resources, type of threat, and suggested remediation actions. We are using API to get findings of GuardDuty service. |
|
|
| |
Cisco Umbrella [Non-AWS service] | Cisco Umbrella is a cloud-driven Secure Internet Gateway (SIG) that leverages insights gained through the analysis of various logs, including DNS logs, IP logs, and Proxy logs, to provide a first line of defense. DNS logs record all DNS queries that are made through the Cisco Umbrella DNS resolvers. These logs contain data about the DNS queries originating from your network, requested domain names and the IP address of the requester. IP logs capture all IP-based communications that occur through the network. These logs store details such as the source and destination IP addresses, ports and protocols used. Proxy logs are generated when users access web resources through the Cisco Umbrella intelligent proxy. They contain detailed information on the web traffic including the URL accessed, the method of access (GET, POST, etc.), the response status, etc | Via S3+SQS:
|
|
|
|
Vendor setup
There are some minimal requirements to set up this collector:
AWS console access: Credentials are required to access the AWS console.
Owner or Administrator permissions within the AWS console, or the fill access to configure AWS services.
Some manual actions are necessary in order to get all the required information or services and allow Devo to gather information from AWS. The following sections describe how to get the required AWS credentials and how to proceed with the different required setups depending on the gathered information type.
Credentials
It’s recommended to have available or create the following IAM policies before the creation of the IAM user that will be used for the AWS collector.
Service Events
Cloudwatch manages all the service events that have been generated on AWS. However, Devo’s AWS Collector offers two different services that collect Cloudwatch Events:
sqs-cloudwatch-consumer
: This service is used to collect Security Hub events.service-events-all
: This service is used to collect events from the rest of the services on AWS
If you want to create them manually, click on each one to follow the steps.
Steps to enable Audit Events
No actions are required in Cloudtrail Service for retrieving this kind of information when the API approach is used (setting types as audit_apis).
For the S3+SQS approach (setting types as audits_s3) some previous configuration is required. Find a complete description of how to create an S2 +SQS pipeline here.
Steps to enable Metrics
No actions are required in CloudWatch Metrics service for retrieving this kind of information.
Steps to enable Logs
Logs can be collected from different services. Depending on the type, some previous setups must be applied on AWS:
Steps to enable Cisco Umbrella logs
Action | Steps |
---|---|
|
|
|
|
Enable |
|
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
Setting | Details |
---|---|
| This is the account identifier for AWS. More info can be found in the section Using a user account and local policies. |
| This is the secret (kind of a password) for AWS. More info can be found in the section Using a user account and local policies. |
| This allows assuming a role with limited privileges to access AWS services. More info can be found in the sections Assuming a role (self-account) and/or Assuming a role (cross-account). |
| This allows assuming a role on another AWS account with limited privileges to access AWS services. More info can be found in the section Assuming a role (cross-account). |
| This is an optional field that provides additional security to the assuming role operation on cross-accounts. More info can be found in the section Assuming a role (cross-account). |
Accepted authentication methods
Depending on how did you obtain your credentials, you will have to either fill in or delete the following properties on the JSON credentials
configuration block.
Authentication method | access_key | access_secret | base_assume_role | target_assume_role | assume_role_external_id |
---|---|---|---|---|---|
Access Key / Access Secret | REQUIRED | REQUIRED |
|
|
|
Assume role (self-account) | REQUIRED | REQUIRED | REQUIRED |
|
|
Assume role (cross-account) |
|
| REQUIRED | REQUIRED | OPTIONAL |
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Service events (all services)
This service could be considered a general AWS event puller. It reads events from all the AWS services, which are managed by CloudWatch.
Service events (Security Hub)
This service is used to read specifically Security Hub events, which need to be processed in a different way.
Audit events (via API)
This service reads Cloudtrail audit events via API.
There are two ways to read Cloudtrail events: via API or via S3+SQS.
API: It is slower, but can read past events.
S3+SQS: It is much faster, but can only read events since the creation of the queue.
This service makes use of the AWS API to get the data.
Audit events (via S3 + SQS)
This service reads Cloudtrail audit events via the S3+SQS pipeline.
There are two ways to read Cloudtrail events: via API or via S3+SQS.
API: It is slower, but can read past events.
S3+SQS: It is much faster, but can only read events since the creation of the queue.
Metrics (All metrics)
This service could be considered a general AWS metric puller. It reads metrics from all the AWS services that generate them. Those metrics are also managed by Cloudwatch.
This service makes use of the AWS API to get the data.
AWS-GuardDuty (Via API)
This service reads GuardDuty events via API. This service is not scalable because of it use of GuardDuty APIs. We use this service for “low” data due to the API limitation, otherwise we should use AWS_SQS_IF
This service makes use of the AWS API to get the data only if data is low
The events are going to be ingested into the table cloud.aws.guardduty.findings
Non Cloudwatch Logs
This service reads logs from some AWS services, but those logs are not managed by Cloudwatch. These logs are stored in an S3 bucket and read through an SQS queue, so it is using an S3+SQS pipeline.
The implemented services currently are:
VPC Flow Logs
Cloudfront Logs
Custom Logs
This service reads logs from some AWS services and these logs are managed by Cloudwatch. Cloudwatch creates log groups to store the different log sources, so it is required to use a custom puller in order to read from different log groups at the same time. This service makes use of the AWS API to get the data.
Cisco Umbrella (via S3+SQS)
This service reads logs from a Cisco Umbrella managed bucket via the S3+SQS pipeline. Cisco provides a way to deposit logging data into a S3 bucket.
Collector operations
This section is intended to explain how to proceed with the specific operations of this collector.
Change log
Release | Released on | Release type | Details | Recommendations |
---|---|---|---|---|
| May 31, 2024 | NEW FEATURE | Improvements:
|
|
| Mar 1, 2024 | IMPROVEMENT | Improvements:
|
|
| Feb 28, 2024 | BUG FIX | Bug Fixes:
|
|
| Dec 7, 2023 | IMPROVEMENT | New Feature
Improvements
|
|
| Oct 25, 2023 | bug fixes |
|
|
| Sep 20, 2023 | NEW FEATURE | New features:
|
|
| Aug 11, 2023 | IMPROVEMENT | Improvements
|
|
| Aug 11, 2022 | BUG FIX | Bug Fixes:
|
|
| Jan 22, 2022 | NEW FEATURE | New features:
Improvements:
Bug Fixes:
|
|