Similarly, the Microsoft Sentinel workspace ID is embedded in the AWS configuration, so there is in effect two-way authentication. The AWS credentials are configured with a role and a permissions policy giving them access to those resources. To connect to the SQS queue and the S3 bucket, Microsoft Sentinel uses AWS credentials and connection information embedded in the AWS S3 connector's configuration. The connector reads the message with the path, then fetches the files from the S3 bucket. If there is a message in the queue, it will contain the path to the log files. The Microsoft Sentinel AWS S3 connector polls the SQS queue at regular, frequent intervals. The S3 bucket sends notification messages to the SQS (Simple Queue Service) message queue whenever it receives new logs. This graphic and the following text shows how the parts of this connector solution interact.ĪWS services are configured to send their logs to S3 (Simple Storage Service) storage buckets. See the instructions for automatic setup later in this document. We have made available, in our GitHub repository, a script that automates the AWS side of this process. This sharing creates secure communication. See the instructions below.Įach side's process produces information used by the other side. Enable and configure the AWS S3 Connector in the Microsoft Sentinel portal.The process of setting it up has two parts: the AWS side and the Microsoft Sentinel side.Ĭonfigure your AWS service(s) to send logs to an S3 bucket.Ĭreate a Simple Queue Service (SQS) queue to provide notification.Ĭreate an assumed role to grant permissions to your Microsoft Sentinel account (external ID) to access your AWS resources.Īttach the appropriate IAM permissions policies to grant Microsoft Sentinel access to the appropriate resources (S3 bucket, SQS). #Sqlectron aws how to#This document explains how to configure the new AWS S3 connector.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |