Skip to main content

CloudTrail/CloudWatch Logs

AWS CloudFormation allows you to configure AWS resources from script/code. This makes deployment easy, consistent, and greately decreases the possiblity of errors or misconfigurations.

For supported AWS integrations, deploying with CloudFormation is always recommended, if the script is avaliable.

Fluency offers several CloudFormation scripts to facilitate integration. While these scripts are free to use, keep in mind that AWS CloudFormation is a paid service, and you will incur a charge from AWS for using it.

AWS CloudFormation

As outlined in the respective sections (Legacy), the process to configure CloudTrail and CloudWatch Logs can be complicated. Fluency provides a single CloudFormation script to complete all the steps to collect CloudTrail data. Additionally, this script also gives the IAM user permissions to read all CloudWatch data.

Link to the CloudFormation file on S3: https://fluency-cloudformation.s3.us-east-2.amazonaws.com/Fluency_AWS_Import_CloudTrail_CloudWatch.yaml

Link to the CloudFormation file on S3 (for AWS GovCloud users): https://fluency-cloudformation.s3.us-east-2.amazonaws.com/FluencyGovCloudTrail.yaml

Deploying a CloudFormation template

Navigate to the CloudFormation section of the AWS Management Console.

Under the "Stacks" section, choose "Create stack" (with new resources, standard).

On the following page, specify a template, and choose the desired template (using Amazon S3 URL) from above:

Click "Next" to continue.

Give this deployment a name, and specify some parameters of the queue. You can choose your own name, or keep the default values provided by Fluency.

NOTE: You must change the default value of the S3Bucket. Or the CloudFormation will always fail and be rolled back.

AWS S3 Bucket names must be Globally Unique; the default S3 bucket name already exists elsewhere in AWS.

Ensure that the AWS S3 Bucket name chosen follows the AWS Bucket naming rules.

Click "Next" to continue.

Configure additional items (optional).

Click "Next" to continue.

Review the deployment, when complete, choose "Create stack" to deploy.

The deployment in progress:

Once the deployment is complete, navigate to the "Outputs" tab.

Copy the details (Key/Values) shown. You will be asked for these items on the Fluency interface.

Fluency Web Interface

AWS CloudTrail/AWS CloudWatch Logs

Login to the Fluency Cloud portal: https://(companyname).cloud.fluencysecurity.com.

Open the main dropdown menu and choose the Integrations option under the Platform section.

...TO BE CONTINUED...

In the pop-up window, give the integration a short name (or choose default), and choose the "Save" button to add the integration endpoint. The value will be used within Fluency interface only to distinguish the different integrations. It is suggested to avoid using spaces in this field.

Select the AWS integration endpoint from the list on the right side of the page, in the same Cloud Infrastructure as a Service section. Choose the pencil icon to edit/configure the connector.

On the plugin configuration page, select the "+ New User" button in the upper left.

Using the IAM credentials from the previous step, fill out the required information. Click "Save" to add the IAM User.

AWS CloudTrail

Select the "+ New CloudTrails" button, under the Users section.

Fill out the required information, using the information from the previous steps. Provide the Queue URL and select the IAM User created above.

Make use of the "Test Connection" button, to test the IAM configurations prior to saving.

If an error is encountered, like the one shown below, please verify the IAM user has the proper Access policy.

A successful test will return the following message:

Click “Save” to add the CloudTrail.

This completes the procedures to export AWS CloudTrail logs to Fluency. Your data will be available in Fluency's Events Search shortly.

AWS CloudWatch

Select the "+ New CloudWatch" button.

Fill out the required information, using the information from the previous steps.

Provide a Name for this integration. Choose the AWS region for this CloudWatch, and select the IAM User (with CloudWatch Read permissions) created above.

Once these fields are populated, the Log Groups field should become a dropdown populated with your available CloudWatch log groups. Select the group(s) you would like to ingress data from.

Make use of the "Test Connection" button to test the configurations prior to saving. If successful, click “Save” to add the CloudWatch.

Page last updated: 2023 Aug 07 11:49:33 EDT