CloudWatch Setup
If you haven't set up CloudWatch already, please refer to the AWS Documentation.
Role Setup
For us to collect your Cloudwatch logs, you'll first need to create an IAM role with read-only access to Cloudwatch in your AWS account. We will then use the AWS STS Assume Role feature to gain the necessary permissions.
Login to your AWS console and navigate to IAM (type “IAM” in the search bar at the top of the AWS console and select IAM from the search results).
In the IAM view, click on Roles in the left-hand menu.
Select Create role
Select the trusted entity type AWS Account.
In the section marked An AWS account, select the Another AWS account option and enter the Account ID 653730588838. In the options below, select Require external ID, then in the External ID box enter a random string of letters and numbers.
Important: Please do not include any special characters in the external ID. Make a note of the External ID as this will be required later.
Click Next and you’ll be taken to the Add Permissions page. Search for and select the policy CloudWatchLogsReadOnlyAccess, then select Next.
Give the role a name (we recommend DefenseAssumedRole) then select Create role.
Once created, you'll be taken back to the Roles page. Find the new role in the list and click on it to access its settings.
Select Edit, change the value of Maximum session duration to 12 hours and select Save Changes.
On the same page, you'll see a summary box at the top. Make a note of the role ARN.
What we need from you
The ARN of any CloudWatch log groups you'd like us to ingest.
The ARN and External ID of the Role you just created.