To configure your account for remote log collection, you must have the following AMP permissions added to your account:
...
You can use this document to collect and send AWS VPC Flow Logs to Armor's Security Information & Event Management (SIEM).
| Note |
|---|
For details about support for AWS Enriched VPC Flow Logs, contact Armor Support |
...
| Note |
|---|
To learn more about permissions in AMP, see Roles and Permissions. |
Flow Source
A flow source is required in order to ingest flow data in the Armor SIEM. The flow source will be dedicated to your flow data. You will not be charged until data begins to flow into the Armor SIEM.
Complete the following steps here to enable flow collection for your account.
Webhook Tagging
To learn more about Webhook Tagging for Flow logs, see the article here.
AWS account permissions (policies)
Your AWS service account must have full access to AWS CloudWatch.
Your individual AWS user account must have full access to the following AWS features:
- AWS VPC
- AWS Lambda
- AWS CloudWatch
- AWS CloudFormation
AWS Components
The AWS components that will be used are:
- S3
- IAM
- Lambda
- VPC Flow Logs
| Warning |
|---|
Armor does not provide support for using AWS CloudFormation to set up AWS VPC Flow Log resources in AWS GovCloud (US). |
Configure the AWS VPC Flow Log CloudFormation Stack Template
...
Following successful deployment of the CloudFormation stack, the collected AWS VPC Flow Logs are visible from Log Search on average in 15 minutes and up to 30 minutes.
Verify Connection in AMP
...
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management, and then selectSearch.
- In theSourcecolumn, review the source name to locate the newly created AWS VPC Flow Log remote log source.
- In the search field, you can also enter the AWS acccount ID to locate AWS VPC Flow Log messages.
Edit a Stack
...
| Note |
|---|
This section only applies to single stacks, not stack sets. |
...