# NG SIEM - AWS Integration

#### <span style="color: rgb(53, 152, 219);">**Overview**</span>

  
<span style="color: rgb(0, 0, 0);">The AWS Integration enables the collection of logs and metrics from your Amazon Web Services (AWS) environment. This integration helps centralize security and operational data for monitoring, investigation, and reporting.</span>

#### <span style="color: rgb(53, 152, 219);">**Data Streams**</span>

  
<span style="color: rgb(0, 0, 0);">The AWS integration collects two main types of data:</span>

1. <span style="color: rgb(0, 0, 0);">**Logs** – Records of events that occur within your AWS account.</span>  
    <span style="color: rgb(0, 0, 0);">Examples:</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Every request received by CloudFront</span>
    - <span style="color: rgb(0, 0, 0);">Actions performed by AWS users or roles</span>
    - <span style="color: rgb(0, 0, 0);">API activity captured by CloudTrail</span>
2. <span style="color: rgb(0, 0, 0);">**Metrics** – Real-time insights into the performance and health of AWS services.</span>  
    <span style="color: rgb(0, 0, 0);">Examples:</span>
    
    
    - <span style="color: rgb(0, 0, 0);">CPU utilization of EC2 instances</span>
    - <span style="color: rgb(0, 0, 0);">S3 storage usage</span>
    - <span style="color: rgb(0, 0, 0);">RDS performance metrics</span>
    - <span style="color: rgb(0, 0, 0);">AWS cost and usage breakdowns</span>

#### <span style="color: rgb(53, 152, 219);">**Requirements**</span>

  
<span style="color: rgb(0, 0, 0);">Before configuring the AWS integration, ensure you have:</span>

1. <span style="color: rgb(0, 0, 0);">**AWS Credentials** – To connect to your AWS account.</span>
2. <span style="color: rgb(0, 0, 0);">**AWS Permissions** – To grant access to the necessary AWS services.</span>

##### <span style="color: rgb(53, 152, 219);">**Step 1. Create IAM User and Custom Policy**</span>

1. <span style="color: rgb(0, 0, 0);">**IAM User**</span>  
    <span style="color: rgb(0, 0, 0);">-an identity you create in **AWS Identity and Access Management (IAM)** that represents a person or application which needs to interact with your AWS resources.</span>
2. <span style="color: rgb(0, 0, 0);">**User Policy and Permissions**</span>

<span style="color: rgb(0, 0, 0);">The IAM User must be granted the following permissions:</span>

```javascript
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"ce:GetCostAndUsage",
				"cloudwatch:GetMetricData",
				"cloudwatch:ListMetrics",
				"ec2:DescribeInstances",
				"ec2:DescribeRegions",
				"iam:ListAccountAliases",
				"inspector2:ListFindings",
				"logs:DescribeLogGroups",
				"logs:FilterLogEvents",
				"organizations:ListAccounts",
				"rds:DescribeDBInstances",
				"rds:ListTagsForResource",
				"s3:GetBucketLocation",
				"s3:GetObject",
				"s3:ListBucket",
				"sns:ListTopics",
				"sqs:ChangeMessageVisibility",
				"sqs:DeleteMessage",
				"sqs:GetQueueAttributes",
				"sqs:ListQueues",
				"sqs:ReceiveMessage",
				"sts:AssumeRole",
				"sts:GetCallerIdentity",
				"tag:GetResources"
			],
			"Resource": "*"
		}
	]
}
```

##### <span style="color: rgb(0, 0, 0);">**<span style="color: rgb(53, 152, 219);">Step 2: Create Access Key</span>** </span>  


<span style="color: rgb(0, 0, 0);">Long-term credentials associated with an IAM user or the AWS root account.</span>

- 1. <span style="color: rgb(0, 0, 0);">**Access Key ID** – First part of the access key</span>
    2. <span style="color: rgb(0, 0, 0);">**Secret Access Key** – Second part of the access key</span>

##### <span style="color: rgb(53, 152, 219);">**Step 3: Create a CloudTrail Trail and Send Logs to S3**</span>

<span style="color: rgb(0, 0, 0);">Set up an AWS CloudTrail trail to record account activity and deliver log files into an S3 bucket for secure storage, auditing, and compliance monitoring.</span>

1. <span style="color: rgb(0, 0, 0);">**Open CloudTrail** &gt; Create a **New Trail**</span>
2. <span style="color: rgb(0, 0, 0);">**Trail Settings**</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Trail name: Enter a unique name.</span>
    - <span style="color: rgb(0, 0, 0);">Apply trail to all accounts in my organization.</span>
3. <span style="color: rgb(0, 0, 0);">Choose an S3 Bucket</span>
    
    
    - <span style="color: rgb(0, 0, 0);">**Storage location** → Select **Create new S3 bucket** or **Use existing bucket**.</span>
    
    <span style="color: rgb(0, 0, 0);"> If using **new bucket**:</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Enter a bucket name.</span>
    - <span style="color: rgb(0, 0, 0);">CloudTrail will create the bucket and add the correct permissions.</span>
    
    <span style="color: rgb(0, 0, 0);"> If using **existing bucket**:</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Select your bucket from the dropdown.</span>
    - <span style="color: rgb(0, 0, 0);">CloudTrail will prompt you to allow access. Click **Yes** to let CloudTrail update the bucket policy.</span>
4. <span style="color: rgb(0, 0, 0);">Additional Settings</span>
    
    
    - <span style="color: rgb(0, 0, 0);">**Enable for all accounts in my organization**</span>
    - <span style="color: rgb(0, 0, 0);">**Log file SSE-KMS encryption:** Enable if you want encryption with a KMS key(optional).</span>
    - <span style="color: rgb(0, 0, 0);">**Log file validation:** Enable to verify log integrity.</span>
5. <span style="color: rgb(0, 0, 0);">Choose Log Events</span>
    1. <span style="color: rgb(0, 0, 0);">**Event Type**</span>
        - <span style="color: rgb(0, 0, 0);">**Management events** - Capture management operations performed on your AWS resources.</span>
        - <span style="color: rgb(0, 0, 0);">**Data events** - Log the resource operations performed on or within a resource.</span>
        - <span style="color: rgb(0, 0, 0);">**Insights events** - Identify unusual activity, errors, or user behavior in your account.</span>
        - <span style="color: rgb(0, 0, 0);">**Network activity events** - Network activity events provide information about resource operations performed on a resource within a virtual private cloud endpoint.</span>
    2. <span style="color: rgb(0, 0, 0);">**Management events:**</span>
        
        
        - <span style="color: rgb(0, 0, 0);">Check **Read**(default is usually All).</span>
6. <span style="color: rgb(0, 0, 0);">Review and Create</span>
    
    
    - <span style="color: rgb(0, 0, 0);">Review your configuration summary.</span>
    - <span style="color: rgb(0, 0, 0);">Click **Create trail**.</span>

<span style="color: rgb(0, 0, 0);">To configure the AWS Integration:</span>

<p class="callout danger">**<span class="TextRun SCXW124724174 BCX0" data-contrast="none" lang="EN-US" xml:lang="EN-US"><span class="NormalTextRun SCXW124724174 BCX0">Please provide the following information to </span><span class="NormalTextRun SpellingErrorV2Themed SCXW124724174 BCX0">CyTech Support</span><span class="NormalTextRun SCXW124724174 BCX0">:</span></span><span class="EOP SCXW124724174 BCX0" data-ccp-props="{"134233117":false,"134233118":false,"335551550":0,"335551620":0,"335559738":240,"335559739":240}"> </span>**</p>

<div class="ListContainerWrapper SCXW124724174 BCX0" id="bkmrk-project-id%C2%A0---the-pr">- <span style="color: rgb(0, 0, 0);">**Access key ID**</span>
- <span style="color: rgb(0, 0, 0);">**Secret Access Key**</span>
- <span style="color: rgb(0, 0, 0);">**Region**</span>
- <span style="color: rgb(0, 0, 0);">**Trail Log Collection &gt; S3 Bucket ARN**</span>

</div><span style="color: rgb(0, 0, 0);">*If you need further assistance, kindly contact <span style="color: rgb(53, 152, 219);">**[support@cytechint.com](mailto:info@cytechint.com)** </span>for prompt assistance and guidance.*</span>