Amazon AWS infrastructure monitoring

This POC shows how the Wazuh module for AWS (aws-s3) enables log data gathering from different AWS sources.

To learn more about monitoring AWS resources, see the Using Wazuh to monitor AWS section of the documentation.

Configuration

Configure your environment as follows to test the POC.

  1. Enable aws-s3 wodle in the /var/ossec/etc/ossec.conf configuration file at the Wazuh manager.

    <wodle name="aws-s3">
  <disabled>no</disabled>
  <remove_from_bucket>no</remove_from_bucket>
  <interval>30m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>no</skip_on_error>
  <bucket type="cloudtrail">
      <name>wazuh-cloudtrail</name>
      <access_key>${replace_by_your_AwsAccessKey}</access_key>
      <secret_key>${replace_by_your_AwsSecretKey}</secret_key>
      <only_logs_after>2021-AUG-01</only_logs_after>
  </bucket>
  <bucket type="guardduty">
      <name>wazuh-aws-wodle</name>
      <path>guardduty</path>
      <access_key>${replace_by_your_AwsAccessKey}</access_key>
      <secret_key>${replace_by_your_AwsSecretKey}</secret_key>
      <only_logs_after>2021-AUG-01</only_logs_after>
  </bucket>
  <bucket type="custom">
      <name>wazuh-aws-wodle</name>
      <path>macie</path>
      <access_key>${replace_by_your_AwsAccessKey}</access_key>
      <secret_key>${replace_by_your_AwsSecretKey}</secret_key>
      <only_logs_after>2021-AUG-01</only_logs_after>
  </bucket>
  <bucket type="vpcflow">
      <name>wazuh-aws-wodle</name>
      <path>vpc</path>
      <access_key>${replace_by_your_AwsAccessKey}</access_key>
      <secret_key>${replace_by_your_AwsSecretKey}</secret_key>
      <only_logs_after>2021-AUG-01</only_logs_after>
  </bucket>
  <service type="inspector">
      <access_key>${replace_by_your_AwsAccessKey}</access_key>
      <secret_key>${replace_by_your_AwsSecretKey}</secret_key>
  </service>
</wodle>

  2. Restart Wazuh manager to apply changes.

    # systemctl restart wazuh-manager

Steps to generate the alerts

No action is required. Alerts are automatically generated from AWS logs when using out-of-the-box rules; they appear as soon as they are fetched from the AWS S3 bucket.

Query the alerts

You can visualize the alert data in the Wazuh Kibana plugin. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • rule.groups: "amazon"