Supported Versions: all
NetWitness Platform Versions
Netwitness Platform 11.3 and later
Event Source Class.Subclass
To configure AWS CloudTrail, you must complete these tasks:
- Configure the AWS CloudTrail event source
- Configure the Log Collector for CloudTrail Collection
Configure the AWS CloudTrail Event Source
AWS CloudTrail is a web service that records AWS API calls. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. RSA NetWitness Platform can collect all of this information.
Perform the following tasks:
- Set Up CloudTrail in AWS
- Provide Read Permissions to an IAM user for an S3 Bucket
Set Up CloudTrail in AWS
You need to work with three AWS services:
- IAM: this is where you create your user or users.
- S3: this is where you create a bucket that holds the logs.
- CloudTrail: you need to enable this service.
To set up CloudTrail in AWS:
Create an Amazon AWS account at https://aws.amazon.com.
Create a user for the IAM (Identity and Access Management) service.
Your user is given an access key and a secret access key. Make sure to record the secret access key, as you cannot see this except at sign up.
In the S3 service, create a bucket. You need to remember the values you enter here, as you need them later when you configure the event source in RSA NetWitness Platform.
- Enter a name.
- Select a region.
- Optional. Enter a prefix.
Enable the CloudTrail service.
Attach a policy that allows users access to the bucket that you created in step 3.
Provide Read Permissions to an IAM user for an S3 Bucket
In the IAM service area, you can either create a new user, or edit an existing IAM user. General documentation for managing IAM users can be found here: https://aws.amazon.com/iam/details/manage-users/.
You need to give this user read permissions for the S3 bucket used in your CloudTrail configuration, and also give read access to the subfolders that CloudTrail uses for logging.
AWS provides a policy generator here: https://awspolicygen.s3.amazonaws.com/policygen.html.
To see examples, visit https://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html.
A policy for a given bucket called poc.logcollector.rsa.emc.com might look like this:
Bucket names are restricted as follows:
Bucket names can only contain lowercase letters, numbers, and hyphens
Bucket names should be between 3 and 63 characters long
Bucket names should not end with a hyphens
Set Up the CloudTrail Event Source in NetWitness Platform
In RSA NetWitness Platform, perform the following tasks:
- Deploy the CEF parser and AWS CloudTrail transform file from Live.
- Configure the event source.
Other information provided:
- Descriptions of AWS CloudTrail parameters
- Troubleshooting information
Deploy the AWS Files from Live
AWS CloudTrail uses the cef parser.
To deploy the cef parser from Live:
- In the RSA NetWitness Platform menu, select Live.
Browse Live for the cef parser, using RSA Log Device as the Resource Type.
- The cef parser, using RSA Log Device as the Resource Type.
- The awscloudtrail transform file, using RSA Log Collector as the Resource Type
- Select the cef parser.
Click Deploy to deploy the cef parser to the appropriate Log Decoders, using the Deployment Wizard.
Repeat steps 2–4 for the awscloudtrail transform file, using RSA Log Collector as the Resource Type.
Configure the AWS Cloudtrail Event Source
To configure the AWS CloudTrail Event Source:
- In the RSA NetWitness Platform menu, select Administration > Services.
- In the Services grid, select a Log Collector service, and from the Actions menu, choose View > Config.
In the Event Sources tab, select Plugins/Config from the drop-down menu.
The Event Categories panel displays the File event sources that are configured, if any.
In the Event Categories panel toolbar, click +.
The Available Event Source Types dialog is displayed.
Select cloudtrail from the list, and click OK.
The newly added event source type is displayed in the Event Categories panel.
Select the new type in the Event Categories panel and click + in the Sources panel toolbar.
The Add Source dialog is displayed.
- Define parameter values, as described below, in CloudTrail Parameters.
Click Test Connection.
The result of the test is displayed in the dialog box. If the test is unsuccessful, edit the device or service information and retry.
If the test is successful, click OK.
The new event source is displayed in the Sources panel.
The following table describes the parameters that you need to enter when you configure CloudTrail event source. Items marked with an asterisk (*) are required; all other parameters are optional.
|Name *|| |
Name of the event source.
Select the check box to enable the event source configuration to start collection. The check box is selected by default.
|Account ID*|| |
Account Identification code of the S3 Bucket.
|S3 Bucket Name*|| |
Name of the AWS (CloudTrail) S3 bucket.
Amazon S3 bucket names are globally unique, regardless of the AWS (CloudTrail) region in which you create the bucket. You specify the name at the time you create the bucket.
Bucket names should comply with DNS naming conventions. The rules for DNS-compliant bucket names are:
The following examples are valid bucket names:
The following examples are invalid bucket names:
|Access Key*|| |
Key used to access the S3 bucket. Access Keys are used to make secure REST or Query protocol requests to any AWS service API. Please refer to Manage User Credentials on the Amazon Web Services support site for more information on Access Keys
|Secret Key *||Secret key used to access the S3 bucket|
|Region*||Region of the S3 bucket: us-east-1 is the default value.|
|Region Endpoint*|| |
Specifies the AWS cloudtrail hostname. For example, for an AWS public cloud for us-east region, the Region Endpoint would be s3.amazonaws.com. More information can be found at http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region.
This parameter is required: it is needed to collect CloudTrail logs from AWS Government or Private clouds.
|Start Date*|| |
Starts AWS (CloudTrail) collection from the specified number of days in the past, measured from the current timestamp. The default value is 0, which starts from today. The range is 0–89 days.
|Log File Prefix|| |
Prefix of the files to be processed.
Arbitrary IP address to be sent to the cloudtrail plugin instance. This IP is used only to label all the logs collected via this instance using device.ip meta.
Enables/disables debug logging for the event source.
Valid values are:
This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.
If you change this value, the change takes effect immediately (no restart required).
Input the Organization ID if it is available. If multiple organization's accounts are collecting logs into the same CloudTrail bucket, then this value is required.
Arguments added to the script.
Interval (amount of time in seconds) between each poll. The default value is 60.
For example, if you specify 60, the collector schedules a polling of the event source every 60 seconds. If the previous polling cycle is still underway, it will wait for it to finish that cycle. If you have a large number of event sources that you are polling, it may take longer than 60 seconds for the polling to start because the threads are busy.
Select the check box to communicate using SSL. The security of data transmission is managed by encrypting information and providing authentication with SSL certificates.
The check box is selected by default.
Validates the configuration parameters specified in this dialog are correct. For example, this test validates that:
Troubleshooting the AWS Cloudtrail Event Source
You may already have various AWS policies configured for your organization. This can lead to permission problems arising from a policy document that does not provide the proper permissions to the S3 bucket and the corresponding subfolders.
A symptom of this problem is that users receive "403 authentication failed" or similar errors while attempting to connect to CloudTrail. In this case, users should first make sure that their credentials are correct. If that does not fix the problem, check the policies for both the IAM user involved and for the S3 bucket, since you can also give permissions to a user or group from the S3 bucket policy document.