Has anyone here successfully ingested AWS CloudTrail user activity logs into Elastic using CloudTrail integration and pulled data from SQS (CloudTrail -> S3 -> SQS with SNS enabled)?
I am specifically wondering about the permissions I need for IAM, S3, and SQS to enable an unrestricted log flow to Elastic.
Thanks for any useful pointers.
I do not use the integration as I collect the Cloudtrail logs on a different way, but the permissions needed are listed here, in this part of the documentation.
Thanks @leandrojmp
I believe the IAM permissions are configured correctly. However, I'm encountering an issue with creating an S3 event notification to SQS. The error message states: 'The user likely does not have the necessary permissions to configure notifications for this S3 bucket. While the bucket itself may allow listing and accessing objects, permission to modify bucket properties and notifications is controlled separately.'
It's unusual to encounter this error, especially considering that I am the admin with root access to the AWS console. I've double-checked the permissions, and I believe I've correctly granted the necessary permissions for S3 to interact with SQS, as documented below.
The error disappeared after providing the correct account ID for the permissions on SNS and SQS.
"StringEquals": {
"aws:SourceAccount": "bucket-owner-account-id"
The agent is now successfully receiving logs for SQS. However, the default integrated dashboard provided by Kibana is somewhat annoying and partially broken. I'm unable to modify it, but since there's that raw data, I can manage it differently.
Thanks!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.