Defense.com

If you haven't already configured CloudWatch on your AWS account, please refer to the <a href="https://docs.aws.amazon.com/cloudwatch/" rel="nofollow noopener noreferrer" target="_blank">AWS Documentation</a> before you begin.

For us to collect your CloudWatch logs, you'll first need to create an Identity and Access Management (IAM) role with read-only access to CloudWatch in your AWS account. We will then use the AWS <a href="https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html" rel="nofollow noopener noreferrer" target="_blank">STS Assume Role</a> feature to gain the necessary permissions.

Log in to your AWS console and navigate to IAM (type “IAM” in the search bar at the top of the AWS console and select IAM from the search results).

In the IAM view, click on Roles in the left-hand menu. ​

Select the trusted entity type AWS Account

In the section marked An AWS account, select the Another AWS account option and enter the Account ID 653730588838. In the options below, select Require external ID, then in the External ID box enter a random string of letters and numbers. Important: Please do not include any special characters in the external ID. Please make a note of the External ID, as this will be required later ​

Click Next, and you’ll be taken to the Add Permissions page. Search for and select the policy CloudWatchLogsReadOnlyAccess, then select Next ​

Give the role a name (we recommend DefenseAssumedRole), then select Create role

Once created, you'll be taken back to the Roles page. Find the new role in the list and click on it to access its settings

Select Edit, change the value of Maximum Session Duration to 12 hours and select Save Changes ​

On the same page, you'll see a summary box at the top. Make a note of the role ARN. ​

1. Log in to your AWS console and navigate to IAM (type “IAM” in the search bar at the top of the AWS console and select IAM from the search results).
2. In the IAM view, click on Roles in the left-hand menu. ​
 
 
3. Select Create role
4. Select the trusted entity type AWS Account
 
 
 
5. In the section marked An AWS account, select the Another AWS account option and enter the Account ID 653730588838. In the options below, select Require external ID, then in the External ID box enter a random string of letters and numbers. Important: Please do not include any special characters in the external ID. Please make a note of the External ID, as this will be required later ​
 
 
6. Click Next, and you’ll be taken to the Add Permissions page. Search for and select the policy CloudWatchLogsReadOnlyAccess, then select Next ​
 
 
7. Give the role a name (we recommend DefenseAssumedRole), then select Create role
8. Once created, you'll be taken back to the Roles page. Find the new role in the list and click on it to access its settings
9. Select Edit, change the value of Maximum Session Duration to 12 hours and select Save Changes ​
 
 
10. On the same page, you'll see a summary box at the top. Make a note of the role ARN. ​

Once the above steps are complete, please <a href="https://my.defense.com/support/tickets/new" rel="nofollow noopener noreferrer" target="_blank">create a ticket</a> with our Technical Support team and provide us with the following information.

The ARN of any CloudWatch log groups you'd like us to ingest.

The ARN and External ID of the Role you just created.

- The ARN of any CloudWatch log groups you'd like us to ingest.
- The ARN and External ID of the Role you just created.

And that's it! You've integrated AWS CloudWatch with the Defense.com SIEM platform 🎉

In this guide, we'll give you all the steps you need to integrate AWS CloudWatch with the Defense.com SIEM platform.

CloudWatch Setup

Creating a role

Completing the integration