To configure your account for remote log collection, you must have the following AMP permissions added to your account: - Delete Log Management
- Read Log Endpoints
- Write Log Endpoints
You can use this document to collect and send AWS VPC Flow Logs to Armor's Security Information & Event Management (SIEM). Note |
---|
For details about support for AWS Enriched VPC Flow Logs, contact Armor Support |
Anchor |
---|
| Pre-deployment considerations |
---|
| Pre-deployment considerations |
---|
| Pre-Deployment Considerations
Before you begin, review the following requirements. Prerequisites AMP Permissions
Your Armor Management Portal (AMP) account must have the following permissions: - Delete Log Management
- Read Log Endpoints
- Write Log Endpoints
Flow SourceA flow source is required in order to ingest flow data in the Armor SIEM. The flow source will be dedicated to your flow data. You will not be charged until data begins to flow into the Armor SIEM. Complete the following steps here to enable flow collection for your account.
Webhook TaggingTo learn more about Webhook Tagging for Flow logs, see the article here. AWS account permissions (policies)Your AWS service account must have full access to AWS CloudWatch. Your individual AWS user account must have full access to the following AWS features: - AWS VPC
- AWS Lambda
- AWS CloudWatch
- AWS CloudFormation
AWS Components
The AWS components that will be used are: - S3
- IAM
- Lambda
- VPC Flow Logs
Warning |
---|
Armor does not provide support for using AWS CloudFormation to set up AWS VPC Flow Log resources in AWS GovCloud (US). |
You can use these instructions to collect and send logs from a single VPC Flow Log. - Login into the AWS console.
- Go to the CloudFormation service.
Click Create stack. Info |
---|
The CloudFormation template used to implement the integration deploys a lambda function outside of a VPC. If the template is modified to deploy the armor-vpc-flow-lambda-... lambda function in a VPC, the https://1d.log.armor.com:5443 endpoint will need to be made accessible. |
- In the AWS console, in the top menu, on the right side, select the desired region for log collection.
Image Added - In Specify an Amazon S3 template URL, input the following link: https://s3-us-west-2.amazonaws.com/logs.armor.com/log-relay-aws-vpc-flows/log-relay-aws-vpc-flows.yaml.
Image Added - Click Next.
- In Stackname, enter a descriptive name.
- This name must begin with a letter, and can only contain letters, numbers, and hyphens.
- (Optional) In KmsKeyStack, enter the customer KMS key stack (if applicable).
- By default, the logs will be stored in s3 with AES256 encryption.
- In RetentionInDays, enter the number of days to retain the log files in the S3 bucket.
- By default, Armor has configured 3 days; set to 0 to keep logs until manually removed.
- In TenantId, enter your Armor account number.
- This can be found in the AccountOverview section of your AMP account.
- In TrafficType, select the type of traffic to log:
- ALL - Capture all traffic (default); recommended
- Accept - Capture the VPC accepted traffic
- Reject - Capture the VPC rejected traffic
- In VpcId, select the ID of the VPC for which the flow log will be relayed.
- Select all VPC IDs for this account (within the account's region) that you would like to ingest.
Image Added Image Added Image Added
- Click Next.
- Click Next.
- At the bottom of the screen, mark the box to accept the terms, and then click Create.
- (Optional) Click the Refresh button to see the status of the stack creation.
Image Added - You can verify that the stack was created successfully on the Resources
Following successful deployment of the CloudFormation stack, the collected AWS VPC Flow Logs are visible from Log Search on average in 15 minutes and up to 30 minutes.
Verify Connection in AMP
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management, and then selectSearch.
- In theSourcecolumn, review the source name to locate the newly created AWS VPC Flow Log remote log source.
- In the search field, you can also enter the AWS acccount ID to locate AWS VPC Flow Log messages.
Edit a Stack
Note |
---|
This section only applies to single stacks, not stack sets. |
Currently, Armor's AWS CloudFormation template does not support updates. If you want to update your stack, then you must delete the remote log source, and then create a new one with your desired updates.?
Info |
---|
Migrate from Log Relay The Armor Log Relay is no longer required to collect and monitor AWS VPC Flow Logs. Deploying a stack using the most recent CloudFormation template will provision a new integration that sends logs directly to Armor. |
Was this helpful?
|