This document describes the steps required to configure VPC Flow logs via CloudTrail on AWS cloud. We recommend that these steps are performed on a call with the guidance of ARIA Technical Support.
- CloudTrail Configuration:
- Login to your AWS Dashboard for your region.
- In the search bar, type ‘cloud trail’ and navigate to the service.
- You may use an existing trail or create a new one. In our case, we are going to create a new one with the ‘Create trail’ button.
- Trail Attributes:
- Trail Name: Choose a descriptive name
- Storage Location: Create a new s3 bucket or use an existing one.
- Trail log bucket and folder: Choose a descriptive name (e.g. aria-aws-cloudtrail-logs)
- Log file SSE-KMS encryption: disabled
- CloudWatch Logs: disabled
- Event type:
- management events
- API Activity: read + write
- Confirm your settings and then select ‘Create trail’
- Login to your AWS Dashboard for your region.
- IAM Role + Policy Configuration
- In the search bar, type ‘IAM’ and navigate to the service.
- In the navigation pane, select ‘Policies’
- Choose ‘Create Policy’
- On the ‘Create Policy’ page, do the following:
- Choose JSON
- Replace the contents of this window with the following permissions policy:
- Choose ‘Next’.
- Give the policy a descriptive name and an optional description and select create.
- In the navigation pane, choose ‘Roles’ and then ‘Create role’.
- Choose ‘Custom trust policy’ and replace “Principle”:{}, with the entry below and then choose ‘Next’.
- Search for the policy created earlier, mark the checkbox next to it and select ‘Next’.
- Enter a name and description for the role and then select ‘Create role’.
- In the search bar, type ‘IAM’ and navigate to the service.
- IAM Access Key Configuration
Note: Before you begin, create a new user and assign the policy if none exist with the IAM user set to 'AmazonS3ReadOnlyAccess'.- Sign into the AWS console as the IAM user to be used for VPC Flow log collection.
- Select the account drop-down in the top right, then choose ‘Security credentials’
- Scroll down to ‘Access Keys’.
- If you already have an access key, please note down the key id and the secret value for later. Otherwise, select ‘Create access key’.
- Select ‘Third-party service’ as a use case then confirm and select ‘Next’.
- Add a description tag and then create the access key. Be sure to store the key id and secret value in a safe place. We will need these later.
- AWS VPC Flow Log Configuration
- Use the top search bar to navigate to the ‘VPC’ service.
- In the navigation pane, select ‘Your VPCs’
- Right-click the desired VPC and select ‘Create flow log’.
- Flow log settings:
- Name: choose a descriptive name
- Filter: All
- Maximum aggregation interval: 10 minutes
- Destination: Send to CloudWatch Logs
- Destination log group: choose the CloudWatch log group created previously or an existing group. Please keep note of the log group for future configuration.
- IAM role: choose the role created previously.
- Log format: Custom (Select the ones below IN ORDER).
- Select ‘Create flow log’.
- ARIA ADR VPC Flow Log Ingestion Configuration
- Login to your Aria tenant with the credentials provided.
- In the navigation pane, choose ‘Settings > Provisioning > Cloud Devices > AWS Configuration’
- Choose ‘Configure Flow services’, then select ‘Add’.
- Fill in the following boxes with the information recorded from AWS. An example will look as follows.
- Review your setting and select ‘Save’.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article