AWS VPC via S3 Setup (CloudFormation method)

Suggest Edits

This document provides instructions for configuring the collection of AWS VPC Flow Logs with an S3 bucket and configure log notification with SNS and SQS using AWS CloudFormation.

🚧

It is recommended that the s3 bucket is in the same region as the VPC. If you pointed multiple flow logs to the same bucket they will need to be differentiated by the folder prefix.

AWS CloudFormation Steps

  1. Setup supporting configuration with Cloudformation template
  2. Create VPC Flow Logs that Publish to S3

Setup Cloudformation template

Setup supporting configuration with Cloudformation template

  1. In the AWS Console select Services and type cloudformation into the search bar
  2. Click Create stack then With new resources(standard)
  3. You will see the import overview, click next
  4. Make sure Amazon S3 URL is checked and input the following URL then click next https://neto-downloads.s3.amazonaws.com/aws/vpc-flow-logs/Netography-AWS-Cloud-Formation.v2.(s3).json
  5. Choose a stack name and a unique S3 bucket name
  6. TrafficType is ALL by default
  7. Add tags for the stack (optional) and click next
  8. Review and check the "I acknowledge that AWS CloudFormation might create IAM resources with custom names."
  9. Now click Create stack
  10. Take note of the information on the Outputs tab

Create VPC Flow Logs

Create VPC Flow Logs that publishes to S3

  1. In the AWS Console select Services and type vpc into the search bar

  2. Click VPC then select your VPC and click the Flow Logs tab

  3. Then click create flow Log

    FilterAll
    Maximum aggregation interval1 minute
    DestinationSend to S3 bucket
    S3 bucket ARNEnter your S3 bucket ARN (from stack outputs tab in CF)
    FormatCustom format
    Access tierSelect the IAM role
    FormatCustom format
    Log format${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${tcp-flags} ${type} ${pkt-dstaddr} ${pkt-srcaddr}${instance-id} ${vpc-id} ${az-id} ${sublocation-id} ${sublocation-type} ${subnet-id}

  4. Click create

Netography Portal Steps

Navigate to Flow Sources, and click "Add Flow Source", then select AWS S3

Configuration

The path to the S3 bucket ARN is constructed using the Account ID and Region fields, along with the current date, using the following structure: AWSLogs/{Account ID}/vpcflowlogs/{Region}/YYYY/MM/DD/

Example: AWSLogs/123456789012/vpcflowlogs/us-east-1/2023/06/28/

The Prefix field can be used if the flow logs are being organized in folders. e.g. setting the Prefix to folder_name would modify the above to become folder_name/AWSLogs/123456789012/vpcflowlogs/us-east-1/2023/06/28/

The following fields are specific to the AWS S3 configuration.

FieldRequiredDescriptionExamples
Account IDyesAccount ID of the flow source1234-5678-9012
RegionyesLocation of the flow sourceus-east-1
BucketyesThe S3 bucket namebucket_name
Bucket RegionyesThe region of the S3 bucketus-east-1
Remove LogRemove the log from the S3 bucket after processing
PrefixFolder prefixfolder_name

Authentication

Netography Fusion can access your AWS account using one of two different methods:

  1. IAM user via an Access Key ID & Secret Access Key
  2. IAM Roles using a Custom Trust Policy created by Netography.

AWS Access Key

To configure access via Access Key/Secret, select the "Key/Secret" Authentication Type. The values for the ID and Secret are accessible in the AWS IAM console.

AWS IAM Roles

You can use an IAM role in Netography Fusion to access your Cloud Flow Logs for flow ingest or account data for the AWS Context Integration. To enable this, go to the portal and retrieve the AWS Account ID and External ID from your Account Settings. Navigate to the gear button on the top right to view your Account Settings to see the Overview tab as shown below:

In AWS, you will configure permissions using the Account ID grabbed from above to create the IAM Role. When configured, AWS creates the Amazon Resource Number (ARN) for the role. For more information in configuring the permissions to the Account ID, refer to the external ID guide.

🚧

The newly created ARN is required in order to configure IAM role access in the Netography Fusion portal.

Once the ARN has been created, the remaining steps are to toggle the Authentication Type to Role in your AWS

S3 configuration settings, input the AWS Account ID grabbed earlier from your Netography account settings, and the supply the ARN configured from AWS as shown below:

Updated 4 months ago