integrate amazon web services (aws) - … amazon web services (aws) ... eventtracker provides...

Integrate Amazon Web Services (AWS) EventTracker

Publication Date: June 9, 2017

1

EventTracker: Integrate AWS

Abstract This guide provides instructions to configure Amazon Web Services (AWS) to send the events to EventTracker Enterprise.

Scope The configurations detailed in this guide are consistent with EventTracker Enterprise version 7.x and later, and

Amazon Web Services –

• EC2API Version 2014-06-15 and later. • Amazon CloudWatch API Version 2010-08-01 and later.

Audience Amazon Web Services (AWS) users, who wish to forward messages to EventTracker manager.

The information contained in this document represents the current view of EventTracker. on the issues discussed as of the date of publication. Because EventTracker must respond to changing market conditions, it should not be interpreted to be a commitment on the part of EventTracker, and EventTracker cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. EventTracker MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from EventTracker, if its content is unaltered, nothing is added to the content and credit to EventTracker is provided.

EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from EventTracker, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

© 2017 EventTracker Security LLC. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

2


Table of Contents

Abstract ............................................................................................................................................................................................... 1

Scope ................................................................................................................................................................................................... 1

Audience.............................................................................................................................................................................................. 1

Introduction to AWS ................................................................................................................................................................................ 3

Prerequisites ............................................................................................................................................................................................ 3

Configuration ........................................................................................................................................................................................... 4 Turning on CloudTrail for the First Time ............................................................................................................................................. 4

Logging Amazon EC2 API Calls Using AWS CloudTrail ......................................................................................................................... 5

Amazon EC2 Information in CloudTrail........................................................................................................................................... 5

Logging Amazon CloudWatch API Calls in AWS CloudTrail ................................................................................................................. 6

CloudWatch Information in CloudTrail ........................................................................................................................................... 6

Collect Amazon Web Services logs into EventTracker ............................................................................................................................. 7 Fetch AWS security credentials ........................................................................................................................................................... 7

Configure AWS Integrator for EventTracker........................................................................................................................................ 8

Verify AWS Integrator Configuration ................................................................................................................................................ 10

EventTracker Knowledge Pack (KP) ........................................................................................................................................................ 11 Categories.......................................................................................................................................................................................... 11

Reports .............................................................................................................................................................................................. 18

Knowledge Object ............................................................................................................................................................................. 25

Import AWS knowledge pack into EventTracker.................................................................................................................................... 25 Categories.......................................................................................................................................................................................... 26

Parsing Rules ..................................................................................................................................................................................... 27

Flex Reports ....................................................................................................................................................................................... 29

Knowledge Objects ............................................................................................................................................................................ 30

Verify AWS knowledge pack in EventTracker......................................................................................................................................... 33 Categories.......................................................................................................................................................................................... 33

Parsing Rules ..................................................................................................................................................................................... 33

Flex Reports ....................................................................................................................................................................................... 34

Knowledge Objects ............................................................................................................................................................................ 35

Create Flex Dashboards in EventTracker ............................................................................................................................................... 37 Schedule Reports............................................................................................................................................................................... 37

Create Dashlets ................................................................................................................................................................................. 39

Sample Flex Dashboards.................................................................................................................................................................... 43

3


Introduction to AWS • Amazon Web Services (AWS) is a collection of remote computing services (also called web services) that

together make up a cloud computing platform, offered over the Internet by Amazon.com. The most central and well-known of these services are Amazon EC2 and Amazon S3.

• Amazon Elastic Compute Cloud (EC2): Amazon Elastic Compute Cloud (EC2) is a central part of Amazon's cloud computing platform and Amazon Web Services (AWS). EC2 allows users to rent virtual computers to run their own computer applications. EC2 allows scalable deployment of applications by providing a Web service through which a user can boot an Amazon Machine Image to create a virtual machine, which Amazon calls an instance, containing any desired software.

• Amazon Virtual Private Cloud (VPC): Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon Web Services (AWS) resources into a virtual network that you have defined. This virtual network closely resembles a traditional network that you can operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

• Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. You can use Amazon CloudWatch to collect and track metrics, collect and monitor log files, and set alarms.

EventTracker provides category reports for effective monitoring and auditing of the Amazon web services and CloudWatch logs.

Prerequisites Prior to configuring Amazon Elastic Compute Cloud (EC2) and Amazon CloudWatch and EventTracker, ensure that you meet the following prerequisites:

• Amazon CloudTrail should be turned on.

• Amazon CloudTrail should be supported on Amazon Elastic Compute Cloud (EC2) and Amazon CloudWatch services.

• Proper access permissions should be there to make configuration changes.

• EventTracker v7.0 or later should be installed.

• Administrative access on EventTracker.

http://en.wikipedia.org/wiki/Remote_computer�

http://en.wikipedia.org/wiki/Web_service�

http://en.wikipedia.org/wiki/Cloud_computing�

http://en.wikipedia.org/wiki/Amazon.com�

http://en.wikipedia.org/wiki/Amazon_EC2�

http://en.wikipedia.org/wiki/Amazon_S3�

http://en.wikipedia.org/wiki/Amazon.com�

http://en.wikipedia.org/wiki/Cloud_computing�

http://en.wikipedia.org/wiki/Amazon_Web_Services�

http://en.wikipedia.org/wiki/Computer_application�

http://en.wikipedia.org/wiki/Scalable�

http://en.wikipedia.org/wiki/Web_service�

http://en.wikipedia.org/wiki/Amazon_Machine_Image�

http://en.wikipedia.org/wiki/Virtual_Machine�

http://en.wikipedia.org/wiki/Virtual_Machine�

4


Configuration You must enable and configure logging on Amazon CloudTrail for Amazon Web Services EC2 and CloudWatch prior to configuring EventTracker.

Turning on CloudTrail for the First Time Use the CloudTrail console to turn on the service for the first time.

To turn on CloudTrail

1. Sign into the AWS management console and open the AWS CloudTrail console at https://console.aws.amazon.com/cloudtrail/. In the navigation bar, select the region where you want to turn on CloudTrail.

2. Click Get Started.

3. From Turn On CloudTrail page, select Yes to have a new Amazon S3 bucket created in your current account. Select No to display more options so that you can select an existing Amazon S3 bucket in your current account, or search for and select an existing bucket that is not in your account. If you select No, remember that you must be sure to manually edit the bucket policy to grant CloudTrail permission to write to it.

S3 bucket name, accept the suggested default or enter a name for the bucket for your log files.

4. If required to enter a prefix for bucket, subscribe to global services such as IAM or AWS STS, or create an Amazon SNS topic, click Advanced.

5. If required to Log file prefix, accept the suggested default or enter a prefix for your Amazon S3 bucket. The prefix is an addition to the URL for an Amazon S3 object that helps to create a folder-like organization in your bucket.

NOTE:

However, check your cursor over view log file location to see where your log files will be stored.

6. If required, select Yes to include global services, and to record API calls from global services such as IAM or AWS STS.

7. If required, select Yes or No for SNS notification for every log file delivery. If you select Yes, enter a name for your Amazon SNS topic in the SNS topic (new) field.

NOTE

https://console.aws.amazon.com/cloudtrail/�

5


If you create a topic, you must subscribe to it, in order to get notified of log file delivery. Because notifications are frequent, you might want to configure the subscription to use an Amazon SQS queue, to handle notifications programmatically.

8. Click Subscribe.

In about 15 minutes, CloudTrail starts publishing log files that show the AWS API calls made in your accounts since you completed the preceding steps.

Logging Amazon EC2 API Calls Using AWS CloudTrail Amazon EC2 and Amazon VPC are integrated with CloudTrail, a service that captures API calls made on behalf of Amazon EC2 and Amazon VPC. It delivers the log files to an Amazon S3 bucket that you specify. The API calls can be made indirectly by using the Amazon EC2 or Amazon VPC console, or directly by using the Amazon EC2 API. Using the information collected by CloudTrail, you can determine the request type that was made, the source IP address from which the request was made, the person who made the request, the date/time on which the request was made, etc.

Amazon EC2 Information in CloudTrail When CloudTrail logging is enabled, calls made to Amazon EC2 and Amazon VPC actions are tracked in log files, along with any other AWS service records. CloudTrail determines when to create and write to a new file based on a specified time period and file size.

All of the Amazon EC2 and Amazon VPC actions are logged; API actions generate entries in the CloudTrail log files.

Every log entry contains information about who generated the request. The user identity information in the log helps you determine whether the request was made with root or IAM user credentials, with temporary security credentials for a role or federated user, or by another AWS service.

You can store your log files in your bucket for as long as you want, but you can also define Amazon S3 lifecycle rules to archive or delete log files automatically. By default, your log files are encrypted using Amazon S3 server-side encryption (SSE).

You can choose to have CloudTrail publish Amazon SNS notifications when new log files are delivered, if you want to take quick action upon log file delivery

You can also aggregate Amazon EC2 and Amazon VPC log files from multiple AWS regions and multiple AWS accounts into a single Amazon S3 bucket.

6


Logging Amazon CloudWatch API Calls in AWS CloudTrail Amazon CloudWatch is integrated with AWS CloudTrail, a service that captures API calls made on behalf of your AWS account. This information is collected and written to log files that are stored in an Amazon S3 bucket that you specify. API calls are logged when you use the Amazon CloudWatch API, the Amazon CloudWatch console, a back-end console, or the AWS CLI. Using the information collected by CloudTrail, you can determine the type of request that was made to Amazon CloudWatch, the source IP address from which the request was made, the person who made the request, the time at which the request was made, etc.

CloudWatch Information in CloudTrail If CloudTrail logging is turned on, calls made to all Amazon CloudWatch actions are captured in log files. For example, calls to the EnableAlarmActions, PutMetricAlarm, and DescribeAlarms actions generate entries in CloudTrail log files. The following CloudWatch actions are supported:

• PutMetricAlarm

• DescribeAlarms

• DescribeAlarmHistory

• DescribeAlarmsForMetric

• DisableAlarmActions

• EnableAlarmActions

• SetAlarmState

• DeleteAlarms

Every log entry contains information about the person who generated the request. For example, if a request is made to create or update an alarm (PutMetricAlarm), CloudTrail logs the user identity of the person or service that made the request. The user identity information helps you determine whether the request was made with root or IAM user credentials, with temporary security credentials for a role or federated user, or by another AWS service.

You can store your log files in your bucket for as long as you want, but you can also define Amazon S3 lifecycle rules to archive or delete log files automatically. By default, your log files are encrypted by using Amazon S3 server-side encryption (SSE).

7


Collect Amazon Web Services logs into EventTracker Fetch AWS security credentials

1. Login to AWS Management Console with valid credentials. 2. Click on User drop-down and select My Security Credentials.

Figure 1

3. Under Your Security Credentials, expand Access Keys and click Create New Access Key Button.

Figure 2

4. Click Show Access Key and note down Access Key ID and Secret Access Key. It can also be downloaded to a csv by clicking Download Key File.

8


Figure 3

Configure AWS Integrator for EventTracker Note: EventTracker supports both S3 bucket logging and CloudTrail. Please request appropriate integrator pack as per requirement.

1. Install AWS Tools for Windows PowerShell from this location. 2. Retrieve AWS Integrator pack for EventTracker form EventTracker Support. 3. Download and extract provided file. 4. Open PowerShell as administrator and execute script named AWS S3 Form.ps1. 5. Click OK on AWS Tools installation check dialog box.

Figure 4

6. Fill requested details as suggested below: o Access Key: AWS access key procured in earlier step. o Secret Key: AWS secret key procured in earlier step. o Region: AWS region code of the user. (us-west-1 by default) o Bucket: AWS buckets to be monitored.

7. Click OK.

http://sdk-for-net.amazonwebservices.com/latest/AWSToolsAndSDKForNet.msi�

9


Figure 5

8. In the next dialog box, select appropriate script execution time. Although it is advised to select Daily, due to high log volume.

9. Click OK.

Figure 6

10. Enter admin credentials to be used for script execution employing task scheduler. 11. Click OK.

Figure 7

10


12. Click OK on configuration success dialog box.

Figure 8

Verify AWS Integrator Configuration 1. Login to EventTracker Enterprise.

2. Select Manager, from Admin drop-down and choose Direct Log Archiver /NetFlow Receiver tab.

3. New configuration named AWSLogs is created here.

Figure 9

11


4. Open Task scheduler. 5. New task named AWS Logging is created here. 6. Change task trigger schedule as needed.

Figure 10

EventTracker Knowledge Pack (KP) Once logs are received in to EventTracker, Categories reports can be configured into EventTracker.

The following Knowledge Packs are available in EventTracker Enterprise to support Amazon Web Services EC2 and CloudWatch monitoring.

Categories 1. AWS EC2: Account attribute described - This category based report provides information related to

account attribute described. 2. AWS EC2: Availability zone described - This category based report provides information related to

availability zone described. 3. AWS EC2: Bundle task cancelled - This category based report provides information related to bundle

task cancelled. 4. AWS EC2: Bundle task described - This category based report provides information related to bundle

task described.

12


5. AWS EC2: Conversion task cancelled - This category based report provides information related to conversion task cancelled.

6. AWS EC2: Conversion task described - This category based report provides information related to conversion task described.

7. AWS EC2: Customer gateway created - This category based report provides information related to customer gateway created.

8. AWS EC2: Customer gateway deleted - This category based report provides information related to customer gateway deleted.

9. AWS EC2: Customer gateway described - This category based report provides information related to customer gateway described.

10. AWS EC2: DHCP option associated - This category based report provides information related to DHCP option associated.

11. AWS EC2: DHCP option created - This category based report provides information related to DHCP option created.

12. AWS EC2: DHCP option deleted - This category based report provides information related to DHCP option deleted.

13. AWS EC2: DHCP option described - This category based report provides information related to DHCP option described.

14. AWS EC2: Image attribute described - This category based report provides information related to image attribute described.

15. AWS EC2: Image attribute modified - This category based report provides information related to image attribute modified.

16. AWS EC2: Image attribute reset - This category based report provides information related to image attribute reset.

17. AWS EC2: Image copied - This category based report provides information related to image copied. 18. AWS EC2: Image created - This category based report provides information related to image created. 19. AWS EC2: Image deregistered - This category based report provides information related to image

deregistered. 20. AWS EC2: Image described – This category based report provides information related to image

described. 21. AWS EC2: Image registered - This category based report provides information related to image

registered. 22. AWS EC2: Instance attribute described - This category based report provides information related to

instance attribute described. 23. AWS EC2: Instance attribute modified - This category based report provides information related to

instance attribute modified. 24. AWS EC2: Instance attribute reset - This category based report provides information related to

instance attribute reset.

13


25. AWS EC2: Instance bundled - This category based report provides information related to instance bundled.

26. AWS EC2: Instance described - This category based report provides information related to instance described.

27. AWS EC2: Instance imported - This category based report provides information related to instance imported.

28. AWS EC2: Instance monitored - This category based report provides information related to instance monitored.

29. AWS EC2: Instance rebooted - This category based report provides information related to instance rebooted.

30. AWS EC2: Instance started - This category based report provides information related to instance started.

31. AWS EC2: Instance status - This category based report provides information related to instance status.

32. AWS EC2: Instance stopped - This category based report provides information related to instance stopped.

33. AWS EC2: Instance terminated - This category based report provides information related to instance terminated.

34. AWS EC2: Instance unmonitored - This category based report provides information related to instance unmonitored.

35. AWS EC2: Internet gateway attached - This category based report provides information related to internet gateway attached.

36. AWS EC2: Internet gateway created - This category based report provides information related to internet gateway created.

37. AWS EC2: Internet gateway deleted - This category based report provides information related to internet gateway deleted.

38. AWS EC2: Internet gateway described - This category based report provides information related to internet gateway described.

39. AWS EC2: Internet gateway detached - This category based report provides information related to internet gateway detached.

40. AWS EC2: IP address allocated - This category based report provides information related to IP address allocated.

41. AWS EC2: IP address associated - This category based report provides information related to IP address associated.

42. AWS EC2: IP address described - This category based report provides information related to IP address described.

43. AWS EC2: IP address disassociated - This category based report provides information related to IP address disassociated.

14


44. AWS EC2: IP address released - This category based report provides information related to IP address released.

45. AWS EC2: Key pair created - This category based report provides information related to key pair created

46. AWS EC2: Key pair deleted - This category based report provides information related to key pair deleted.

47. AWS EC2: Key pair described - This category based report provides information related to key pair described.

48. AWS EC2: Key pair imported - This category based report provides information related to key pair imported.

49. AWS EC2: Network ACLs activity - This category based report provides information related to network ACLs activity.

50. AWS EC2: Network interface attached - This category based report provides information related to network interface attached.

51. AWS EC2: Network interface attribute described - This category based report provides information related to network interface attribute described.

52. AWS EC2: Network interface attribute modified - This category based report provides information related to network interface attribute modified.

53. AWS EC2: Network interface attribute reset - This category based report provides information related to network interface attribute reset.

54. AWS EC2: Network interface created - This category based report provides information related to network interface created.

55. AWS EC2: Network interface deleted - This category based report provides information related to network interface deleted.

56. AWS EC2: Network interface described - This category based report provides information related to network interface described.

57. AWS EC2: Network interface detached - This category based report provides information related to network interface detached.

58. AWS EC2: Placement group created - This category based report provides information related to placement group created.

59. AWS EC2: Placement group deleted - This category based report provides information related to placement group deleted.

60. AWS EC2: Placement group described - This category based report provides information related to placement group described.

61. AWS EC2: Private IP address assigned - This category based report provides information related to private IP address assigned.

62. AWS EC2: Private IP address unassigned - This category based report provides information related to private IP address unassigned.

15


63. AWS EC2: Product instance confirmed - This category based report provides information related to product instance confirmed.

64. AWS EC2: Reserved instance described - This category based report provides information related to reserved instance described.

65. AWS EC2: Reserved instances listing cancelled - This category based report provides information related to reserved instances listing cancelled.

66. AWS EC2: Reserved instances listing created - This category based report provides information related to reserved instances listing created.

67. AWS EC2: Reserved instances listing described - This category based report provides information related to reserved instances listing described.

68. AWS EC2: Reserved instances modified - This category based report provides information related to reserved instances modified.

69. AWS EC2: Reserved instances offering purchased - This category based report provides information related to reserved instances offering purchased.

70. AWS EC2: Route created - This category based report provides information related to route created. 71. AWS EC2: Route deleted - This category based report provides information related to route deleted. 72. AWS EC2: Route replaced - This category based report provides information related to route replaced. 73. AWS EC2: Route table associated - This category based report provides information related to route

table associated. 74. AWS EC2: Route table association replaced - This category based report provides information related

to route table association replaced. 75. AWS EC2: Route table created - This category based report provides information related to route

table created. 76. AWS EC2: Route table deleted - This category based report provides information related to route

table deleted. 77. AWS EC2: Route table described - This category based report provides information related to route

table described. 78. AWS EC2: Route table disassociated - This category based report provides information related to

route table disassociated. 79. AWS EC2: Security group activities - This category based report provides information related to

security group activities. 80. AWS EC2: Security group created - This category based report provides information related to

security group created. 81. AWS EC2: Security group deleted - This category based report provides information related to

security group deleted. 82. AWS EC2: Security group described - This category based report provides information related to

security group described.

16


83. AWS EC2: Snapshot attribute described - This category based report provides information related to snapshot attribute described.

84. AWS EC2: Snapshot attribute modified - This category based report provides information related to snapshot attribute modified.

85. AWS EC2: Snapshot attribute reset - This category based report provides information related to snapshot attribute reset.

86. AWS EC2: Snapshot copied - This category based report provides information related to snapshot copied.

87. AWS EC2: Snapshot created - This category based report provides information related to snapshot created.

88. AWS EC2: Snapshot deleted - This category based report provides information related to snapshot deleted.

89. AWS EC2: Snapshot described - This category based report provides information related to snapshot described.

90. AWS EC2: Spot datafeed subscription created - This category based report provides information related to spot datafeed subscription created.

91. AWS EC2: Spot datafeed subscription deleted - This category based report provides information related to spot datafeed subscription deleted.

92. AWS EC2: Spot datafeed subscription described - This category based report provides information related to spot datafeed subscription described.

93. AWS EC2: Spot instance request cancelled - This category based report provides information related to spot instance request cancelled.

94. AWS EC2: Spot instance request described - This category based report provides information related to spot instance request described.

95. AWS EC2: Spot instances requested - This category based report provides information related to spot instances requested.

96. AWS EC2: Spot price history described - This category based report provides information related to spot price history described.

97. AWS EC2: Subnet attribute modified - This category based report provides information related to subnet attribute modified.

98. AWS EC2: Subnet created - This category based report provides information related to subnet created.

99. AWS EC2: Subnet deleted - This category based report provides information related to subnet deleted.

100. AWS EC2: Subnet described - This category based report provides information related to subnet described.

101. AWS EC2: Tags created - This category based report provides information related to tags created. 102. AWS EC2: Tags deleted - This category based report provides information related to tags deleted.

17


103. AWS EC2: Tags described - This category based report provides information related to tags described. 104. AWS EC2: Virtual machine export instance created - This category based report provides information

related to virtual machine export instance created. 105. AWS EC2: Virtual machine export task cancelled - This category based report provides information

related to virtual machine export task cancelled. 106. AWS EC2: Virtual machine export task described - This category based report provides information

related to virtual machine export task described. 107. AWS EC2: Virtual private cloud attribute described - This category based report provides information

related to virtual private cloud attribute described. 108. AWS EC2: Virtual private cloud attribute modified - This category based report provides information

related to virtual private cloud attribute modified. 109. AWS EC2: Virtual private cloud created - This category based report provides information related to

virtual private cloud created. 110. AWS EC2: Virtual private cloud deleted - This category based report provides information related to

virtual private cloud deleted. 111. AWS EC2: Virtual private cloud described - This category based report provides information related to

virtual private cloud described. 112. AWS EC2: Virtual private cloud peer connection accepted - This category based report provides

information related to virtual private cloud peer connection accepted. 113. AWS EC2: Virtual private cloud peer connection created - This category based report provides

information related to virtual private cloud peer connection created. 114. AWS EC2: Virtual private cloud peer connection deleted - This category based report provides

information related to virtual private cloud peer connection deleted. 115. AWS EC2: Virtual private cloud peer connection described - This category based report provides

information related to virtual private cloud peer connection described. 116. AWS EC2: Virtual private cloud peer connection rejected - This category based report provides

information related to virtual private cloud peer connection rejected. 117. AWS EC2: Virtual private gateway route propagation disabled - This category based report provides

information related to virtual private gateway route propagation disabled. 118. AWS EC2: Virtual private gateway route propagation enabled - This category based report provides

information related to virtual private gateway route propagation enabled. 119. AWS EC2: Volume attached - This category based report provides information related to volume

attached. 120. AWS EC2: Volume attribute described - This category based report provides information related to

volume attribute described. 121. AWS EC2: Volume attribute modified - This category based report provides information related to

volume attribute modified.

18


122. AWS EC2: Volume created - This category based report provides information related to volume created.

123. AWS EC2: Volume deleted - This category based report provides information related to volume deleted.

124. AWS EC2: Volume described - This category based report provides information related to volume described.

125. AWS EC2: Volume detached - This category based report provides information related to volume detached.

126. AWS EC2: Volume imported - This category based report provides information related to volume imported.

127. AWS EC2: Volume status described - This category based report provides information related to volume status described.

128. AWS EC2: VPN connection created - This category based report provides information related to VPN connection created.

129. AWS EC2: VPN connection deleted - This category based report provides information related to VPN connection deleted.

130. AWS EC2: VPN connection described - This category based report provides information related to VPN connection described.

131. AWS EC2: VPN gateway attached - This category based report provides information related to VPN gateway attached.

132. AWS EC2: VPN gateway created - This category based report provides information related to VPN gateway created.

133. AWS EC2: VPN gateway deleted - This category based report provides information related to VPN gateway deleted.

134. AWS EC2: VPN gateway described - This category based report provides information related to VPN gateway described.

135. AWS EC2: VPN gateway detached - This category based report provides information related to VPN gateway detached.

136. AWS EC2: VPN route connection created - This category based report provides information related to VPN route connection created.

137. AWS EC2: VPN route connection deleted - This category based report provides information related to VPN route connection deleted.

Reports Following reports are based on API request send by AWS accounts and user:

19


1. AWS VPC- Virtual Private Cloud – This report provides information about the creation, deletion and description of Amazon Virtual Private Cloud with Source details (Account, Access Key ID, User and source IP details).

2. AWS VPC- Subnet – This report provides information about the creation, deletion and description of subnet in Virtual private cloud with Source details (Account, Access Key ID, user and source IP details).

3. AWS VPC- DHCP Options – This report provides information about the creation, deletion and description of DHCP Option set for VPC with Source details (Account, Access Key ID, User and Source IP details).

4. AWS VPC- Security Groups – This report provides information about creation, deletion and description of Inbound and Outbound security group rules with source details (Account, Access Key ID, User and Source IP details).

5. AWS VPC- Network ACLs – This report provides information about creation, deletion and description of Network ACLs in VPC with Source details (Account, Access Key ID, User and Source IP details).

6. AWS VPC- Route Tables – This report provides information about creation, deletion and description of route tables in VPC with source details (Account, Access Key ID, User and Source IP details).

7. AWS VPC- Elastic IP Address – This report provides information about the renew, release and associate of Elastic IP for VPC with source details (Account, Access Key ID, User and Source IP details).

8. AWS VPC- Virtual Private Gateway – This report provides information about the Creation, deletion and description of Virtual Private Gateway with source details (Account, Access Key ID, User and source IP details).

9. AWS VPC: Customer Gateway – This report provides information about the creation, deletion and description of Customer Gateway in VPC with source details (Account, Access Key ID, User and Source IP details).

10. AWS VPC- Internet Gateway – This report provides information about the creation, deletion and Description of Internet Gateway with Source details (Account, Access Key ID, User and Source IP details).

11. AWS VPC- Flow – This report provides information about the Inbound and Outbound Traffic Flow from Instance and Network Interfaces with source and destination IP and ports information.

12. AWS- General Report – This reports provide information about the request send by user and getting response with error as well as source details (Account, Access Key ID, User and Source IP details).

13. AWS CloudTrail- Error traffic details - This report provides information regarding CloudWatch client errors which includes authentication failures and configuration failures.

14. AWS CloudTrail- All traffic details - This report provides information regarding CloudWatch traffic details stores in S3 bucket.

20


Logs Considered:

21


15. AWS S3- HTTP status summary - This report provides information regarding summary of HTTP request to S3 bucket.

22


Logs Considered:

16. AWS S3-Remote IP summary - This report provides information regarding summary of remote IP

address accessing the S3 bucket.

Logs Considered:

17. AWS S3- Operation type summary - This report provides information regarding event details of user activity.

23


Logs Considered:

18. AWS S3- User agent summary - This report provides information regarding user agent used to access

S3 bucket.

24


Logs Considered:

19. AWS S3-All Traffic details - This report provides information regarding all traffic trans versing S3 buckets.

25


Logs Considered:

Knowledge Object 1. AWS CloudTrail All Traffic - This KO helps in advanced analysis and reporting of CloudWatch traffic

captured by CloudTrail. 2. AWS S3 All Traffic - This KO helps in advanced analysis and reporting of S3 bucket traffic flow.

Import AWS knowledge pack into EventTracker 1. Launch EventTracker Control Panel. 2. Double click Export Import Utility.

26


Figure 11

3. Import knowledge pack items in the following sequence:

• Categories • Parsing Rules • Flex Reports • Knowledge Objects

Categories

1. Click Category option, and then click the browse button.

27


Figure 12

2. Locate All AWS group of Categories.iscat file, and then click the Open button. 3. To import categories, click the Import button.

Figure 13

4. Click OK, and then click the Close button.

Parsing Rules 1. Select Import tab, choose Token value from Options dialog box.

28


2. Click the browse button in Location section.

Figure 14

3. Locate the AWS Parsing Rules.istoken file, and then click the Open button. 4. To import tokens, click the Import button.

Figure 15

5. Click OK, and then click the Close button.

29


Flex Reports 1. Select Import tab, choose Reports from Options dialog box.

Figure 16

2. Select Legacy (*.issch) from Location dialog box, click the ‘browse’ button. 3. Locate AWS Reports.issch file, and then click the Open button.

30


Figure 17

4. To import scheduled reports from selected file, click the Import button.

Figure 18

5. Click OK and Close.

Knowledge Objects 1. Logon to EventTracker Enterprise. 2. Click the Admin menu and then click the Knowledge Objects.

31


Figure 19

3. Click the Import button.

Figure 20

4. Click browse and locate the file named AWS Knowledge Objects.etko.

32


5. Click on UPLOAD button.

Figure 21

6. Select associated knowledge object and click on Overwrite button.

Figure 22

7. Click OK.

33


Verify AWS knowledge pack in EventTracker Categories

1. Logon to EventTracker Enterprise. 2. Click Admin dropdown, and then click Categories. 3. In Category Tree to view imported categories, scroll down and expand Amazon Web Services group

folder to view the imported categories.

Figure 23

Parsing Rules 1. Logon to EventTracker Enterprise. 2. Click the Admin dropdown, and then click Parsing rule. 3. Scroll down and select Amazon WeS from Groups. Imported Token-Values are shown in right pane.

34


Figure 24

Flex Reports 1. Logon to EventTracker Enterprise.

Figure 25

2. Navigate to Reports->Configuration. 3. Select Defined in report type. 4. In Report Configuration page, select AWS from Report Groups.

35


Figure 26

5. AWS reports are shown in the right pane.

Knowledge Objects 1. Logon to EventTracker Enterprise. 2. Click the Admin menu and then click the Knowledge Objects.

36


Figure 27

3. Scroll down and select AWS from Groups section. Imported knowledge objects are shown in the right pane.

Figure 28

37


Create Flex Dashboards in EventTracker NOTE: To configure the flex dashboards, schedule and generate the reports. Flex dashboard feature is available from EventTracker Enterprise v8.0.

Schedule Reports 1. Open EventTracker in browser and logon.

Figure 29

2. Navigate to Reports>Configuration.

3. Select AWS in report groups. Check Defined dialog box.

Figure 30

38


1. Click on ‘schedule’ to plan a report for later execution. 2. Click Next button to proceed. 3. In review page, check Persist data in EventVault Explorer option.

Figure 31

4. In next page, check column names to persist using PERSIST checkboxes beside them. Choose suitable Retention period.

39


Figure 32

5. Proceed to next step and click Schedule button. 6. Wait till the reports get generated.

Create Dashlets 1. Open EventTracker Enterprise in browser and logon.

40


Figure 33

2. Navigate to Dashboard>Flex. Flex Dashboard pane is shown.

Figure 34

3. Fill suitable title and description and click Save button. 4. Click to configure a new flex dashlet. Widget configuration pane is shown.

41


Figure 35

5. Locate earlier scheduled report in Data Source dropdown. 6. Select Chart Type from dropdown. 7. Select extent of data to be displayed in Duration dropdown. 8. Select computation type in Value Field Setting dropdown. 9. Select evaluation duration in As Of dropdown. 10. Select comparable values in X Axis with suitable label. 11. Select numeric values in Y Axis with suitable label. 12. Select comparable sequence in Legend. 13. Click Test button to evaluate. Evaluated chart is shown.

42


Figure 36

14. If satisfied, click Configure button.

Figure 37

15. Click ‘customize’ to locate and choose created dashlet. 16. Click to add dashlet to earlier created dashboard.

43


Sample Flex Dashboards • WIDGET TITLE: AWS S3-HTTP traffic

REPORT: AWS S3-All traffic CHART TYPE: Donut AXIS LABELS [X-AXIS]: Remote IP Legend [Series]: HTTP Status

44


• WIDGET TITLE: AWS S3-Operation details REPORT: AWS S3-All traffic CHART TYPE: Pie AXIS LABELS [X-AXIS]: Remote IP Legend [Series]: Operation Type

45


• WIDGET TITLE: AWS CloudTrail-User activity REPORT: AWS CloudTrail-All traffic CHART TYPE: Donut AXIS LABELS [X-AXIS]: Source IP Legend [Series]: User Name

46


• WIDGET TITLE: AWS CloudTrail -User agent activity REPORT: AWS CloudTrail -All traffic CHART TYPE: Pie AXIS LABELS [X-AXIS]: User Agent Legend [Series]: Event Name

<~X~>

integrate amazon web services (aws) - … amazon web services (aws) ... eventtracker provides...

Documents