Has anyone here successfully ingested AWS CloudTrail user activity logs into Elastic using CloudTrail integration and pulled data from SQS (CloudTrail -> S3 -> SQS with SNS enabled)?
I am specifically wondering about the permissions I need for IAM, S3, and SQS to enable an unrestricted log flow to Elastic.
I do not use the integration as I collect the Cloudtrail logs on a different way, but the permissions needed are listed here, in this part of the documentation.
Thanks @leandrojmp
I believe the IAM permissions are configured correctly. However, I'm encountering an issue with creating an S3 event notification to SQS. The error message states: 'The user likely does not have the necessary permissions to configure notifications for this S3 bucket. While the bucket itself may allow listing and accessing objects, permission to modify bucket properties and notifications is controlled separately.'
It's unusual to encounter this error, especially considering that I am the admin with root access to the AWS console. I've double-checked the permissions, and I believe I've correctly granted the necessary permissions for S3 to interact with SQS, as documented below.
The agent is now successfully receiving logs for SQS. However, the default integrated dashboard provided by Kibana is somewhat annoying and partially broken. I'm unable to modify it, but since there's that raw data, I can manage it differently.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.