CloudWatch Setup
If you haven't already configured CloudWatch on your AWS account, please refer to the AWS Documentation before you begin.
Creating a role
For us to collect your CloudWatch logs, you'll first need to create an Identity and Access Management (IAM) role with read-only access to CloudWatch in your AWS account. We will then use the AWS STS Assume Role feature to gain the necessary permissions.
Log in to your AWS console and navigate to IAM (type “IAM” in the search bar at the top of the AWS console and select IAM from the search results).
In the IAM view, click on Roles in the left-hand menu.
Select Create role
Select the trusted entity type AWS Account
In the section marked An AWS account, select the Another AWS account option and enter the Account ID 653730588838. In the options below, select Require external ID, then in the External ID box enter a random string of letters and numbers. Important: Please do not include any special characters in the external ID. Please make a note of the External ID, as this will be required later
Click Next, and you’ll be taken to the Add Permissions page. Search for and select the policy CloudWatchLogsReadOnlyAccess, then select Next
Give the role a name (we recommend DefenseAssumedRole), then select Create role
Once created, you'll be taken back to the Roles page. Find the new role in the list and click on it to access its settings
Select Edit, change the value of Maximum Session Duration to 12 hours and select Save Changes
On the same page, you'll see a summary box at the top. Make a note of the role ARN.
Completing the integration
Once the above steps are complete, please create a ticket with our Technical Support team and provide us with the following information.
The ARN of any CloudWatch log groups you'd like us to ingest.
The ARN and External ID of the Role you just created.
And that's it! You've integrated AWS CloudWatch with the Defense.com SIEM platform 🎉