You can use this document to collect and send AWS VPC Flow Logs to Armor's Security Information & Event Management (SIEM).
Armor does not support AWS Enriched VPC Flow Logs.
Pre-Deployment Considerations
Before you begin, review the following requirements.
Prerequisites
Armor Account ID
To learn how to obtain your Account ID, see Get Accounts API.
- Ubuntu shell for build and deployment
AMP Permissions
Your Armor Management Portal (AMP) account must have the following permissions:
- Write Virtual Machine
- Delete Log Management
- Read Log Endpoints
- Read Log Relays
- Write Log Relays
- Delete Log Relays
To learn more about permissions in AMP, see Roles and Permissions.
Log Relay
For remote log collection, you must have Log Relay added to your account.
- To learn how to add Log Relay to your account, see Obtain Log Relay for Remote Log Collection.
Flow Source
A flow source is required in order to ingest flow data in the Armor SIEM. The flow source will be dedicated to your flow data. You will not be charged until data begins to flow into the Armor SIEM.
Complete the following steps to create a flow source:
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management.
- Click External Sources.
- Click the plus ( + ) sign.
- If you do not have any log sources already created, then click Add a New Log Source.
- In Endpoint, select the available Armor Endpoint.
- In Log Source Type, select Amazon AWS VPC Flow Logs.
In the pop-up window, click Yes, Create Flow Source.
- A message will display at the bottom of the screen, indicating that the flow source has been created.
AWS account permissions (policies)
Your AWS service account must have full access to AWS CloudWatch.
Your individual AWS user account must have full access to the following AWS features:
- AWS VPC
- AWS Lambda
- AWS CloudWatch
- AWS CloudFormation
AWS Components
The AWS components that will be used are:
- S3
- IAM
- Lambda
- VPC Flow Logs
Armor does not provide support for using AWS CloudFormation to set up AWS VPC Flow Log resources in AWS GovCloud (US).
Step 1: Configure the AWS VPC Flow Log CloudFormation Stack Template
You can use these instructions to collect and send logs from a single VPC Flow Log.
- Login into the AWS console.
- Go to the CloudFormation service.
- Click Create stack.
Step 2: Verify Connection in AMP
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management, and then select Search.
- In the Source column, review the source name to locate the newly created AWS VPC Flow Log remote log source.
- In the search field, you can also enter the AWS acccount ID to locate AWS VPC Flow Log messages.
Edit a Stack
This section only applies to single stacks, not stack sets.
Currently, Armor's AWS CloudFormation template does not support updates. If you want to update your stack, then you must delete the remote log source, and then create a new one with your desired updates.