Accenture MDR Quick Start Guide for Amazon Web Services (AWS) VPC Flow
This quick start guide will help Accenture MDR customers configure Amazon Web Services (AWS) VPC Flow to allow log collection from the Log Collection Platform (LCP).
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
LCP | SQS or Cloudwatch | 443 (TCP) | Default port |
Configuring AWS VPC Flow
MxDR supports log collection using Cloudwatch and S3 via SQS.
Prerequisite:
If you are using S3 via SQS log collection method, S3 bucket should be created. Please refer the following page to create a S3 bucket. https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html
If you are using Cloudwatch log collection method, Cloudwatch log group should be created. Please refer the following page to create a Cloudwatch log group. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html
Device Configuration Steps:
Configure flow logs to Amazon S3 if you are forwarding logs to S3
After you have created and configured your Amazon S3 bucket, you can create flow logs for your network interfaces, subnets, and VPCs.
Step I : To create a flow log for a network interface :
Open the Amazon EC2 console
In the navigation pane, choose Network Interfaces
Select the checkboxes for one or more network interfaces
Choose Actions, Create flow log
Configure the flow log settings [Step 4]
Step II : To create a flow log for a subnet :
Open the Amazon VPC console
In the navigation pane, choose Subnets.
Select the checkboxes for one or more subnets.
Choose Actions, Create flow log.
Configure the flow log settings [Step 4]
Step III : To create a flow log for a VPC:
Open the Amazon VPC console
In the navigation pane, choose Your VPCs.
Select the checkboxes for one or more VPCs.
Choose Actions, Create flow log.
Configure the flow log settings [Step 4]
Step IV : To configure flow log settings :
For Filter, specify the type of IP traffic to log. All type of traffic is supported.
Accepted – Log only accepted traffic.
Rejected – Log only rejected traffic.
All – Log accepted and rejected traffic.
For Maximum aggregation interval , choose 1 minute to take advantage of MSS's true IP functionality.
For Destination, choose Send to an S3 bucket
ForS3 bucket ARN, specify the ARN of Amazon S3 bucket [covered in prerequisites]
For Log record format, specify the format for the flow log record :
To use the default flow log record format, choose AWS default format.
To create a custom format, choose Custom format. For Log format, choose the fields to include in the flow log record.
NOTE : Please configure VPC log flow with Custom AWS log Format to take advantage of MSS true IP functionality It will show a whole list of attributes in a drop-down pattern under Log Format. Select all the attributes in the defined order as mentioned in the below image. The sequence should be as it is mentioned below. The custom format can then be reviewed under Format Preview.
Important Note: Field customization must be in the sequential order as mentioned above.
For Log file format, choose the default format for the log file - Text.
For Hive-compatible S3 prefixes [optional Config] , Keep it unchecked
To partition your flow logs per hour, choose Every 1 hour (60 mins).
To add a tag to the flow log [optional config] , choose Add new tag and specify the tag key and value.
Choose Create flow log
For More details , Refer : https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html
Configure flow logs to Amazon CloudWatch if you are forwarding logs to Cloudwatch
You can create flow logs for your VPCs, subnets, or network interfaces.
Repeat Step 1 to Step 3 from above to configure flow log either from VPC , subnets or Network Interfaces.
To configure flow log settings :
For Filter, specify the type of traffic to log. All type of filter is supported.
For Maximum aggregation interval , choose 1 minute to take advantage of MSS's true IP functionality.
For Destination, choose Send to CloudWatch Logs
For Destination log group, choose the name of the destination log group that you created [covered in pre requisites]
For IAM role, specify the name of the role that has permissions to publish logs to CloudWatch Logs.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "*"
}
]
} |
For Log record format, select the Custom format for the flow log record. Available fields and order has been mentioned in above scenario.
To add a tag to the flow log [optional config] , choose Add new tag and specify the tag key and value.
Choose Create flow log
For More details , Refer :
Configuring Amazon S3 to send the event notifications to SQS
https://mdrkb.atlassian.net/wiki/x/AQCeEQ
Note: Please refer below page to check required IAM user policies.
https://mdrkb.atlassian.net/wiki/x/hoCdEQ
Note: Below are the URL details which we need to allow for connectivity (Please identify URLs by referring AWS document according to your services and regions):
IAM: For any logging source IAM URL should be allowed
S3: For S3 or SQS logging source, S3 URL should be allowed.
SQS: For SQS logging source, SQS URL should be allowed.
Cloudwatch: For cloudwatch logging source, cloudwatch URL should be allowed.
LCP Configuration Parameters
MxDR supports log collection using role based access control (RBAC) or access key ID and secret method.
To create access key ID and secret please refer
To support log collection using RBAC please refer
Table 1-2: The AWS VPC Flow event collector (API - 3898) properties to be configured by MDR are shown in the table.
Property | Access Key and Secret | RBAC |
---|---|---|
Region | Enter region (Eg: us-west-2) | Enter region (Eg: us-west-2) |
AWS Access Key ID Or Role ARN | Enter Access Key | Provide Role ARN |
AWS Secret Access Key Or External ID | Enter Secret | Enter external ID |
Logging Source | Cloudwatch or SQS | Cloudwatch or SQS |
S3 Bucket/Log Group(s)/SQS Queue URL | Provide cloudwatch log group or SQS URL | Provide cloudwatch log group or SQS URL |
Bucket Prefix Path(s) | Leave Empty | Leave Empty |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.