AWS S3 Bucket Monitoring
Updated Sep 19, 2023Configure AWS S3 bucket log monitoring
This document describes how to configure an Amazon Web Services® (AWS) account to send logs from a Simple Storage Service (S3) bucket to Arctic Wolf. For example, you may have security-related products or services that write or forward logs to S3 bucket storage. After you perform these steps, Arctic Wolf can receive these logs to further improve your security posture.
Before you begin
Complete the following for each account that contains a S3 bucket you wish to forward logs from:
-
Configure logs to send from your AWS account to Arctic Wolf, as described in Configure AWS CloudTrail Event Monitoring.
Note: If you use AWS Organizations or AWS Control Tower, logs forwarded to Arctic Wolf must use an S3 bucket within your logging account. :::
-
If the S3 log bucket account is not the same account used to configure Cloudtrail logging:
- Follow the steps in Configure AWS CloudTrail Event Monitoring to create a new trail with the same account that contains the S3 bucket.
- Once the base and all nested stacks have the status
CREATE_COMPLETE
, delete the newly created trail to avoid receiving repeated events.
-
Enable GuardDuty and forward findings to an S3 bucket, as described in Configure Amazon GuardDuty Monitoring.
Sign in and select a region
-
Sign in to the AWS console as an AWS user or IAM role that has AdministratorAccess or an equivalent IAM policy.
-
Select the region where your S3 bucket was created.
Arctic Wolf recommends using US West (Oregon) or US East (N. Virginia), known as us-west-2 and us-east-1 respectively, to ensure that all recommended AWS services are available. See Supported AWS regions for a complete list of supported regions.
-
Proceed to Launch the CloudFormation stack.
Launch the CloudFormation stack
-
Navigate to the CloudFormation Service page.
-
Click Create stack > With new resources.
-
Select these options:
- Prepare template — Template is ready
- Template Source — Amazon S3 URL
-
In a new tab, go to the Arctic Wolf® Unified Portal to retrieve the AWS stack link.
-
Copy and paste the Simple Storage Service (S3) Logs stack link from the Arctic Wolf Portal into the Amazon S3 URL text box, and then click Next.
-
Proceed to Create the CloudFormation stacks.
Create the CloudFormation stacks
-
Under Specify stack details, enter a name in the Stack name field for the S3 log forwarding stack, such as
ArcticWolf-S3LogForward
.Note: This name helps you identify resources that are created to collect and forward security events to Arctic Wolf, so make sure that it is unique.
-
Under Parameters, in the bucketName field, enter the name of the S3 bucket that will be used to store logs.
-
If the bucket is used for:
-
Storing security logs only — Leave the prefixPath field empty.
-
Multiple purposes — In the prefixPath field, enter a prefix to monitor for new objects, such as
<myservice>/logs
.This ensures that only relevant data is forwarded to Arctic Wolf, controlling your AWS costs.
Note: When entering the prefixPath value, do not include a trailing slash,
/
.
-
-
If the logs sent to the bucket:
-
Use standard SSE-S3 encryption — Leave the kmsKey field empty.
-
Have SSE-KMS encryption that encrypts them with a KMS key — Enter the ARN of the KMS key in the kmsKey field.
For more information about the KMS key ARN, see Configure GuardDuty to Export Logs in the Amazon GuardDuty Monitoring configuration guide.
-
-
Click Next to proceed to the Configure stack options page. Do not make any changes on this page.
-
Click Next to proceed to the Review page.
-
On the Review page, read the Capabilities section and select all checkboxes to proceed.
Note: The stack does not create properly if you do not select all checkboxes.
-
Click Submit to create the stacks. CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process generally takes 5 to 10 minutes to complete.
-
Verify that the base stack and all nested stacks have the status
CREATE_COMPLETE
to confirm that the CloudFormation stacks were successfully created. -
Contact your CST to confirm that Arctic Wolf is processing logs from your S3 bucket.
Next steps
See Configure AWS Account Monitoring for other optional AWS configurations.