AWS Logs
In this guide, we'll learn how to stream all your AWS logs - CloudTrail, VPC Flow, ALB, S3 Access, WAF - to Dassana.
Prerequisite
Your AWS logs must be published to an S3 Bucket.
Deploy Serverless App
Dassana has built a Lambda function that streams logs from your S3 bucket to the security data lake. You must deploy this serverless app once for each log type (ex. Cloudtrail, VPC Flow logs, etc.)
- Enter a stack name and and fill out the following Parameters:
- Dassana Source ID: Paste the appropriate Source ID
- Dassana Endpoint: https://ingestion.dassana.cloud/events
- Dassana Token: Paste your Dassana Token
- ExistingSNSTopic (Optional): If you already have an existing SNS topic receiving notifications from your S3 bucket, paste the ARN here. Otherwise, leave it blank and we'll create one.
- LogSourceBucket: Paste the ARN of the S3 bucket containing your logs
- Click the checkboxes to acknowledge custom IAM role creation and click Create Stack
- Once the stack is created, navigate to the Resources tab and click on the Physical ID AWSApp. This should open your newly created lambda function.
Add S3 Event Notification
If you did not have an exisiting SNS topic, follow these steps to finish setting up your Dassana source.
- Navigate to your S3 bucket in the console and select properties
- Scroll down to Event notifications and click create event notifications
- Fill out an event name
- Select 'All object create events'
- Scroll down and select SNS topic as a destination
- Select the newly created SNS topic (ends in "-DassanaLogTopic") and Save changes
What if I have an existing S3 Event Notification?
AWS only allows for 1 event notification per event type per bucket. If your existing S3 Event Notification's destination is SNS, Dassana will hook into your existing notification (assuming you provided the SNS arn when deploying our CFT). However, if your existing event notification's destination is a lambda function, we recommend moving to a fan-out model. Remove your existing event notification and follow the steps above to add Dassana's SNS topic as a destination. Then, you can optionally create a new SQS queue subscribed to Dassana's SNS topic to serve as your lambda's trigger.
Need help with this?
We'd love to help you over at our Slack.
Conclusion
Congrats! You've successfully deployed the Dassana AWS app. Now, your AWS logs will be streamed to the Dassana security data lake and become instantly queryable. View the log references on the sidebar for sample queries to get you started.
Handling Failures
The Dassana AWS source includes automatic retries at the execution and invocation levels. However, sometimes retries aren't enough. A common example is when your Dassana token was rotated in the console, but not updated in your lambda configuration. Logs that fail to be delivered after exhausting your configured retry capacity will be sent to a SQS DeadLetterQueue (named YourStackName-DeadLetterQueue). You can send these logs back to Dassana by clicking 'Start DLQ redrive' in the SQS console.
Source IDs
| Log Type | Source ID |
|---|---|
| CloudTrail | aws_cloudtrail |
| VPC Flow | aws_vpc_flow |
| ALB Access | aws_alb |
| S3 Access | aws_waf |
| WAF | aws_s3_access |
| Route53 Resolver | aws_route53_resolver |
| Network Firewall | aws_network_firewall |