Before you configure CloudTrail for Log Manager, you must create an Amazon Web Services Cloud Defender deployment and configure cross-account role access for the deployment. To create a Cloud Defender deployment, see Create a deployment. For information about cross-account role access, see Configure Alert Logic AWS Cross-account Role Access.
The SQS queue informs Alert Logic Log Manager of log messages to collect. Log Manager automatically queries this SQS queue and retrieves the CloudTrail log message from the queue. Alert Logic stores the CloudTrail log message in accordance with your log retention period, and you can query it from the Alert Logic console.
To create an SQS queue:
- In the AWS console, under Application Integration, click SQS.
- Click Create New Queue.
- In Queue Name, type a descriptive name, and then copy that name. You will need this information later to complete the CloudTrail configuration process.
- Keep the default configurations and click Create Queue.
- Select the check box next to the newly created queue, and then select Subscribe Queue to SNS Topic from the drop-down menu.
- In Choose a Topic, select the SNS topic used by your CloudTrail.
- Click Subscribe.
- To confirm successful configuration, click OK.
- Copy the Amazon Resource Name (ARN) for the queue. You will need this information later to complete the configuration process in the Alert Logic console.
To provide Alert Logic with cross-account access to your AWS account and the resources necessary to perform this configuration, you must create an IAM policy and role in the AWS console.
Download and open this policy document. Make the following changes to the policy document:
<ARN_FOR_SQS_QUEUE>with the ARN you copied earlier.
<CLOUDTRAIL_S3_BUCKET_NAME>with the S3 bucket name used by your CloudTrail.
Keep the policy document open so you can copy and paste the information during IAM role creation.
Do not use this policy document if you want to encrypt your CloudTrail logs with AWS Key Management Service (KMS).
To create a cross-account access role:
- In the AWS Console, click IAM, located under Security, Identity & Compliance.
- From the IAM Management Console, click Policies, and then click Create Policy.
- Click the JSON tab.
- Copy and paste the contents of your policy document into the JSON window.
- Click Review policy.
- On the Review Policy page, type a Policy Name and Description for the policy.
- Click Create policy.
- From the IAM Management Console, click Roles, and then click Create role.
- On the Create role page, click Another AWS account.
- Enter the following information for Alert Logic:
- Account ID—Type 239734009475
- Select Require external ID.
- External ID—Use your Alert Logic Customer ID. To find your Customer ID, in the Alert Logic console, click Settings () > Support Information.
- Require MFA—make sure the option is not selected.
- Click Next: Permissions.
- Select the policy you created above, and then click Next: Review.
- Type a Role Name and Role description, and then click Create Role.
- In the list of IAM roles, click the name of the role you created, and then note the Role ARN value, which you will need when you create the AWS credentials in the Alert Logic console.
You must create an AWS CloudTrail log source in the Alert Logic console to collect CloudTrail logs. To complete this action, you need the following AWS account information:
- SQS queue name
- IAM role credentials
To create an AWS CloudTrail collection source:
- In the Alert Logic console, click CONFIGURATION, and then click Deployments.
- Click the deployment tile for which you want to create a CloudTrail collection source.
- In the left navigation area, click Log Sources.
- Click the Add icon ().
- From Source Log Type, select AWS CloudTrail.
- In Source Name, type a descriptive name.
- For the Enable Collection switch, keep the default Enabled selection (to the right).
- In Collection Alerts, click the field and select one or more alert options.
- In the SQS Queue Name field, type the name of the SQS queue you created in the previous steps.
- From AWS Region, specify the region in which you created the SQS queue in the previous steps.
- Select or create a new IAM Role.
- To use an existing IAM Role, select Use an existing IAM Role, and then select the IAM Role to use.
- To create a new IAM Role, select Create a new IAM Role, and then complete the following fields:
- In Credential Name, enter a descriptive name.
- In Role ID, enter the Role ARN you previously copied.
- In External ID, enter the external ID you previously used.