Configure an AWS S3 bucket for Arctic Wolf monitoring

You can configure an Amazon Web Services (AWS)® account to send logs from a Simple Storage Service (S3) bucket to Arctic Wolf®.

Note: These steps are only required when Arctic Wolf needs to collect logs from AWS Web Application Firewall (WAF)® and Cisco Secure Email® (CSE).
Optional: Complete additional AWS configurations. For more information, see Configure AWS for Arctic Wolf monitoring.

Create the base stack

Note: If the CloudTrail stack exists on this account already, you do not need to create the base stack.
  1. Sign in to the AWS Management Console as a user, or as an IAM role that has AdministratorAccess or an equivalent IAM policy.
  2. Complete Configure CloudTrail monitoring with no existing trails.
  3. When the stack has a status of CREATE_COMPLETE, navigate to CloudTrail.
  4. Select the newly created trail and delete it.
    The trail was required for CloudTrail monitoring configurations, and it is no longer needed.

Launch the S3 CloudFormation stack

  1. On the CloudFormation Service page, click Create stack > With new resources.
  2. Configure these settings:
    • Prepare template — Select Choose an existing template.
    • Template source — Select Amazon S3 URL.
  3. In a new browser tab, go to the Arctic Wolf Unified Portal, copy the Simple Storage Service (S3) logs link, and then paste it into the Amazon S3 URL field.
  4. Click Next.

Create the CloudFormation stacks

  1. In the Specify stack details section, in the Stack name field, enter a name for the S3 log forwarding stack. For example, ArcticWolf-S3LogForward.
    Note: This name helps you identify resources that are created to collect and forward security events to Arctic Wolf. Make sure it is unique.
  2. In the Parameters section, in the bucketName field, enter the name of the S3 bucket used to save logs.
  3. If the bucket is used for:
    • Storing security logs only — Keep the prefixPath field empty.
    • Multiple purposes — In the prefixPath field, enter a prefix to monitor for new objects. For example, myservice/logs.

      To lower AWS costs, only applicable data is forwarded to Arctic Wolf.

      Note: When entering the prefixPath value, do not include a trailing slash, /.
  4. If the logs use encryption that is different from the AWNKMSKey, enter the ARN of the KMS key in the kmsKey field.
    Note: If the KMS key is located in a different account from the account you are deploying the CloudFormation stack in, contact your Concierge Security® Team (CST) for configuration guidance.
  5. Click Next.

    You are redirected to the Configure stack options page. Do not make changes on this page.

  6. Click Next.
  7. On the Review page, read the Capabilities section.
  8. Select all checkboxes.
    Note: You must select all checkboxes to create the stack correctly.
  9. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5-10 minutes to complete.

  10. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE before proceeding to the next step, to make sure that the CloudFormation stacks were successfully created.
  11. Contact your CST® to verify that Arctic Wolf is processing logs from your S3 bucket.