Amazon Virtual Private Cloud (VPC)

Amazon Virtual Private Cloud (Amazon VPC) lets users provision a logically isolated section of the AWS Cloud where they can launch AWS resources in a virtual network that they define. Users have complete control over their virtual networking environment, including the selection of their IP address range, creation of subnets, and configuration of route tables and network gateways. Users can use both IPv4 and IPv6 in their VPC for secure and easy access to resources and applications.

Amazon configuration

The following sections cover how to configure the Amazon VPC service to integrate with Wazuh.

  1. Go to S3 buckets, select an existing S3 bucket or create a new one, then copy the Amazon Resource Name (ARN) of the S3 bucket.

  2. On your AWS console, go to Services > Compute > EC2.

  3. Go to Network & Security > Network Interfaces on the left menu. Select a network interface and select Create flow log on the Actions menu.

  4. Change all fields to look like the following screenshot and paste the Amazon Resource Name (ARN) of the previously created bucket.

Policy configuration

Follow the creating an AWS policy guide to create a policy using the Amazon Web Services console.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the AWS IAM user.

To allow an AWS user to use the Wazuh module for AWS with read-only permissions, it must have a policy like the following attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
            ]
        }
    ]
}

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>/*",
                 "arn:aws:s3:::<WAZUH_AWS_BUCKET>"
             ]
         }
     ]
 }

Note

<WAZUH_AWS_BUCKET> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

After creating a policy, you can attach it directly to a user or to a group to which the user belongs. In attaching a policy to an IAM user group, you see how to attach a policy to a group. More information on how to use other methods is available in the AWS documentation.

To allow an AWS user to execute the VPC integration, it must also have a policy like the following attached:

{
  "Sid": "VisualEditor0",
  "Effect": "Allow",
  "Action": "ec2:DescribeFlowLogs",
  "Resource": "*"
}

Configure Wazuh to process Amazon VPC logs

  1. Access the Wazuh configuration in Server management > Settings using the Wazuh dashboard or by manually editing the /var/ossec/etc/ossec.conf file in the Wazuh server or agent.

  2. Add the following Wazuh module for AWS configuration to the file, replacing <WAZUH_AWS_BUCKET> with the name of the S3 bucket:

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>10m</interval>
      <run_on_start>yes</run_on_start>
      <skip_on_error>yes</skip_on_error>
      <bucket type="vpcflow">
        <name><WAZUH_AWS_BUCKET></name>
        <aws_profile>default</aws_profile>
      </bucket>
    </wodle>
    

    Note

    In this example, the aws_profile authentication parameter was used. Check the credentials section to learn more about the different authentication options and how to use them.

  3. Save the changes and restart Wazuh to apply the changes. The service can be manually restarted using the following command outside the Wazuh dashboard:

    • Wazuh manager:

      # systemctl restart wazuh-manager
      
    • Wazuh agent:

      # systemctl restart wazuh-agent
      

Use cases

Using an Amazon VPC (Virtual Private Cloud), users can logically isolate some of their AWS assets from the rest of their cloud infrastructure. Users can set up their networks in the cloud. This is why it is usually important to monitor changes to their VPCs.

Create a VPC

If a VPC is created, the following alerts with rule ID 80202 will be shown on the Wazuh dashboard.

If a user without proper permissions attempts to create a VPC, the following alerts with rule ID 80203 will be shown on the Wazuh dashboard.

Working with VPC Data

A VPC alert contains data such as destination and source IP address, destination and source port, and how many bytes were sent.

These alerts can be easily analyzed by creating visualizations like the following one following the custom dashboard guide.

You can monitor your network with this visualization to identify peaks. Once a peak is identified, apply filters to view the alerts generated during that time and examine the communication between IP addresses. Since the IP address is a field in numerous AWS alerts, you may discover additional alerts and gain insights into the events that occurred.