Skip to content

AWS S3

Chronicle has the ability to pull logs from AWS S3.

Creating a AWS S3 Bucket

  1. AWS has great information online about how to create new S3 Buckets. Feel free to follow this AWS Guide.

Access Configuration

When creating access for CYDERES you can choose between two different options. CYDERES recommends that you create a IAM role as it is more secure.

IAM Role

  1. In the console navigate to IAM
  2. Click on "Roles"
  3. Click on "Create Role"
  4. In the page that opens up select "Another AWS Account" in the top bar.
  5. For the "Account ID" fill in 237482752974
  6. Click the optional "Require external ID". Fill in this box with whatever you want. CYDERES will need this value to connect to your account so keep it saved.
  7. Click Next
  8. Click on "Create Policy" to create a new policy to attach to this role.
  9. In the new window that opens up change the editor to JSON.
  10. In the JSON editor window copy and paste in these values.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "S3BucketAcccessCYDERES",
          "Effect": "Allow",
          "Action": [
              "s3:GetObject",
              "s3:ListBucket"
          ],
          "Resource": [
              "arn:aws:s3:::BUCKETNAME",
              "arn:aws:s3:::BUCKETNAME/*"
          ]
        },
        {
          "Sid": "S3ListAccessCYDERES",
          "Effect": "Allow",
          "Action": [
              "s3:ListAllMyBuckets",
              "s3:HeadBucket"
          ],
          "Resource": "*"
        },
        {
          "Sid": "KMSAcccessCYDERES",
          "Effect": "Allow",
          "Action": "kms:Decrypt",
          "Resource": [
              "arn:aws:kms:*:*:key/*"
          ]
        }
      ]
    }
    
  11. Edit the JSON IAM policy making sure to replace the BUCKETNAME with your S3 bucket that CYDERES will be accessing.

  12. Also of note here is that KMSAcccessCYDERES is only needed if you are KMS encrypting bucket objects.
  13. Name the policy however you wish and click save.
  14. After creating the policy return to the create role window. Refresh the policies. Find and select your newly created policy then click "Next".
  15. Fill out any tags you want on your role and then click "Next".
  16. Fill in your AWS IAM role name and then click on "Create Role".
  17. Once the role is created click into it and find the role ARN.
  18. Send the following to CYDERES when completed

    • IAM Role ARN
    • IAM ExternalID
    • S3 Bucket Name
    • S3 Bucket File Path
    • Log Types
  19. CYDERES recommends that we setup sending object creation events to SQS which will help with high volume log sources. CYDERES has to setup the SQS queue first before the S3 Bucket can be configured for its use. Once CYDERES has setup the SQS queue follow the directions below.

IAM User

  1. Create a user which will be the user that CYDERES uses to access the S3 Bucket. Feel free to follow this AWS Guide on creating IAM Users
  2. When creating the user the access type needed is Programmatic Access
  3. When setting permissions create a new policy and either use the policy generator to grant access for this user to the S3 bucket. Alternatively use this json policy as an example:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "S3BucketAcccessCYDERES",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::Account-ID:user/CYDERES"
          },
          "Action": [
            "s3:ListBucket",
            "s3:GetObject"
          ],
          "Resource": [
            "arn:aws:s3:::BUCKETNAME"
          ]
        },
        {
          "Sid": "S3ListAccessCYDERES",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::Account-ID:user/CYDERES"
          },
          "Action": [
              "s3:ListAllMyBuckets",
              "s3:HeadBucket"
          ],
          "Resource": "*"
        },
        {
          "Sid": "KMSAcccessCYDERES",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::Account-ID:user/CYDERES"
          },
          "Action": "kms:Decrypt",
          "Resource": [
              "arn:aws:kms:*:*:key/*"
          ]
        }
      ]
    }
    
  4. Send the following to CYDERES when completed

    • Access key ID
    • Secret access key
    • S3 Bucket Name
    • S3 Bucket File Path
    • Log Types
  5. CYDERES recommends that we setup sending object creation events to SQS which will help with high volume log sources. CYDERES has to setup the SQS queue first before the S3 Bucket can be configured for its use. Once CYDERES has setup the SQS queue follow the directions below.

KMS Keys

If a KMS key is used to encrypt objects being written into the S3 bucket and the KMS exists outside of the account where the S3 bucket lives there is an extra configuration step. Feel free to reference this AWS Documentation

On the KMS key add the following policy statements replacing the AWS account ids with the account id where the S3 bucket lives. This will allow the AWS account where the S3 bucket exists to access the KMS key so that the objects can be downloaded. Without this policy in place it will not be possible for CYDERES to access those encrypted S3 objects.

{
    "Sid": "Allow use of the key",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::(awsAccountID):root"
        ]
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow attachment of persistent resources",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::(awsAccountID):root"
        ]
    },
    "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
    ],
    "Resource": "*",
    "Condition": {
        "Bool": {
            "kms:GrantIsForAWSResource": "true"
        }
    }
}

SQS Queue Configuration

  1. Navigate to the S3 bucket that is going to be configured
  2. Click on "Properties" in the top bar
  3. Under Advanced settings find "Events" and click on the box.
  4. Click "Add Notification"
  5. Set the name however you wish.
  6. Check the "All object create events" under "Events"
  7. In "Send To" select "SQS Queue"
  8. In the "SQS" drop-down box select "Add SQS Queue ARN"
  9. Fill in this box with the ARN that CYDERES provides.
  10. Click "Save"