Skip to main content
All CollectionsIntegrations
How to integrate AWS CloudWatch
How to integrate AWS CloudWatch

In this guide, we'll give you all the steps you need to integrate AWS CloudWatch with the Defense.com SIEM platform.

Daniel Sampson avatar
Written by Daniel Sampson
Updated over 2 weeks ago

CloudWatch Setup

If you haven't already configured CloudWatch on your AWS account, please refer to the AWS Documentation before you begin.

Creating a role

For us to collect your CloudWatch logs, you'll first need to create an Identity and Access Management (IAM) role with read-only access to CloudWatch in your AWS account. We will then use the AWS STS Assume Role feature to gain the necessary permissions.

  1. Log in to your AWS console and navigate to IAM (type “IAM” in the search bar at the top of the AWS console and select IAM from the search results).

  2. In the IAM view, click on Roles in the left-hand menu.

  3. Select Create role

  4. Select the trusted entity type AWS Account

  5. In the section marked An AWS account, select the Another AWS account option and enter the Account ID 653730588838. In the options below, select Require external ID, then in the External ID box enter a random string of letters and numbers. Important: Please do not include any special characters in the external ID. Please make a note of the External ID, as this will be required later

  6. Click Next, and you’ll be taken to the Add Permissions page. Search for and select the policy CloudWatchLogsReadOnlyAccess, then select Next

  7. Give the role a name (we recommend DefenseAssumedRole), then select Create role

  8. Once created, you'll be taken back to the Roles page. Find the new role in the list and click on it to access its settings

  9. Select Edit, change the value of Maximum Session Duration to 12 hours and select Save Changes

  10. On the same page, you'll see a summary box at the top. Make a note of the role ARN.

Completing the integration

Once the above steps are complete, please create a ticket with our Technical Support team and provide us with the following information.

  • The ARN of any CloudWatch log groups you'd like us to ingest.

  • The ARN and External ID of the Role you just created.

And that's it! You've integrated AWS CloudWatch with the Defense.com SIEM platform 🎉

Did this answer your question?