How to connect Amazon Web Services log data to ContraForce

Security events from Amazon Web Services (AWS) can be sent to ContraForce to provide valuable security insights. This article will cover the requirements to send AWS data to ContraForce.

ContraForce is able to ingest logs from AWS Guard Duty, AWS VPC Flow Logs, CloudWatch, and AWS Cloud Trail. There are a few requirements to facilitate the data transfer and this article will cover the steps. To facilitate the set up process, a script can be used reducing the manual work needed to establish the connection. This article will cover the resources used, their function, and how to create them

AWS Connector Overview

ContraForce will provide you with a script that can be used to create the necessary resources in AWS that are required for the connection to ContraForce. The script will create the following resources: 

  • If not pre-existing, creates an S3 Storage Bucket and SQS Queue.
    • If connecting AWS Guard Duty, AWS VPC Flow Logs, CloudWatch, and AWS Cloud Trail, a SQS Queue will be created for each type. A single S3 bucket can be used for multiple logs. 
  • Enables specified AWS services to send logs to the S3 bucket, and notification messages to the respective SQS queue.
  • Creates an IAM assumed role in AWS with the minimal amount of permissions to allow ContraForce access to the AWS logs. 
  • Configures any required IAM permissions policies and applies them to the newly created IAM role created by the script.

To run the script in AWS, you will need PowerShell and the AWS CLI. If you do not have these already installed, instructions on how to do that can be found below: 

How to run the AWS configuration script

  1. Ensure that you have the AWS S3 setup script. ContraForce will provide you with this. Additionally, it can be downloaded here. The download will be a zip file. 
  2. In PowerShell, run aws configure. Enter your AWS as prompted. You will be asked for the information below. Additionally, more information around configuring the AWS CLI can be found here.
  3. Run the configuration script using ./ConfigAwsConnector.ps1 command.
    1. The script can take up to 30 minutes to complete. 
  4. The script will ask which AWS log to configure. Specify Guard Duty, VPC Flow, or Cloud Trail. Additionally, the script will ask for the Workspace ID to be used. This will be provided to you by ContraForce. 
  5. After the script has completed, copy the Role ARN and SQS URL from the output. Send this information to ContraForce. Be sure to specify which data type the Role ARN and SQS URL correspond to. 

Note that if you want to connect multiple AWS log types, the script will need to be ran multiple times for each type.