AWS EC2 CloudWatch API
FortiSIEM Support Added: 4.7.2
FortiSIEM Last Modification: 6.3.1
Vendor Version Tested: Not Provided
Vendor: Amazon
Product Information: https://aws.amazon.com/cloudwatch/
- What is Discovered and Monitored
- Event Types
- Configuration
- Settings for Access Credentials
- Sample Events
What is Discovered and Monitored
Protocol | Information Discovered | Metrics Collected | Used For |
---|---|---|---|
CloudWatch API |
|
|
Performance Monitoring CloudWatch Events Monitoring |
Event Types
- PH_DEV_MON_EBS_METRIC captures EBS metrics
To search for these event types, from ANALYTICS, click in the Edit Filters and Time Range... field, and take the following steps:
-
In Filter, select the Event Attribute radio button.
-
In the Attribute field, enter "Event Type".
-
In the Operator field, select "CONTAIN".
-
In the Value field, enter "AWS_VPC_FLOW".
-
Under Row, click + to add another row.
-
In the new row, in the Attribute field, enter "Raw Event Log".
-
In the new row, in the Operator field, select "CONTAIN".
-
In the new row, in the Value field, enter "AWS_CLOUDWATCH_EVENT_DATA".
-
Configure your Time Range and click Apply & Run.
Configuration
If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies.
You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. You should also be sure to read the topic "Discovering Amazon Web Services (AWS) Infrastructure".
VPC Flow logs are supported. For more information, see HOW TO - Integrate Amazon VPC Flows.
The purpose of this discovery is to poll a list of EC2 instances in a given region so FortiSIEM knows that they are part of your AWS infrastructure. No logs are collected, but a CMDB entry for each EC2 instance is categorized under the “AWS” group in CMDB. This is important for certain reports that only look at AWS resources. It is still required to configure individual VMs with appropriate logging configurations, such as installable Agents (Linux, Windows) or Agentless (Syslog or WMI). Follow the instructions for the type of guest VM in this guide.
If you only want CloudWatch integration, you can create your AWS user and configure that user's policy by taking these steps.
Note: For the latest AWS documentation, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
-
In the navigation pane, choose Users and then choose Add user.
-
Type the user name for the new user. This is the sign-in name for AWS.
-
Select Programmatic access for the type of access this user will have.
-
Choose Next: Permissions.
-
Select Attach existing policies directly.
-
Select the policy CloudwatchReadOnlyAccess.
-
Choose Next: Tags.
-
Choose Next: Review.
-
Choose Create user.
-
Choose Show and record the Access key ID.
Note: To save the access keys, choose Download .csv and then save the file to a safe location.
This is your only opportunity to view or download the secret access keys. You will not have access to the secret keys again after this step.
-
Choose Show and record the secret key.
Note: To save the access keys, choose Download .csv and then save the file to a safe location.
This is your only opportunity to view or download the secret access keys. You will not have access to the secret keys again after this step.
-
Click Close.
Settings for Access Credentials
FortiSIEM Configuration Setup
Complete these steps in the FortiSIEM UI:
-
Navigate to ADMIN > Setup and click the Credentials tab.
-
In Step 1: Enter Credentials:
-
Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
-
Enter these settings in the Access Method Definition dialog box and click Save:
Setting Value Name ec2 Device Type Amazon AWS CloudWatch Access Protocol AWS CloudWatch Region The region in which your AWS instance is located AWS Account The name of your AWS account. Log Group Name Name of the log group. Log Stream Name Name of the log stream. Password Config See Password Configuration. Access Key ID The access key for your EC2 instance Secret Key The secret key for your EC2 instance
-
-
In Step 2: Enter IP Range to Credential Associations, click New.
-
Select the ec2 credential you created earlier from the Credentials drop-down list. It should autofill IP/Host Name as destination "amazon.com".
-
Click Save.
-
-
Select the new mapping and click the Test drop-down list and select Test Connectivity without Ping to start pulling.
Sample Events
[PH_DEV_MON_EC2_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=6571,[hostName]=ec2-54-81-216-218.compute-1.amazonaws.com,[hostIpAddr]=192.0.2.131,[cpuUtil]=0.334000,[diskReadKBytesPerSec]=0.000000,[diskWriteKBytesPerSec]=0.000000,[diskReadReqPerSec]=0.000000,[diskWriteReqPerSec]=0.000000,[sentBytes]=131,[recvBytes]=165,[sentBitsPerSec]=17.493333,[recvBitsPerSec]=22.026667,[phLogDetail]=
[PH_DEV_MON_EBS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAws.cpp,
[lineNumber]=133,[hostName]=ec2-52-69-215-178.ap-northeast-1.compute.amazonaws.com,[hostIpAddr]=198.51.100.50,[diskName]=/dev/sda1,[volumeId]=vol-63287d9f,[diskReadKBytesPerSec]=7.395556,[diskWriteKBytesPerSec]=7.395556,[ioReadsPerSec]=0.000000,[ioWritesPerSec]=0.010000,[diskQLen]=0,[phLogDetail]=