Amazon S3 Server Access

Amazon S3 Server Access Logging provides detailed records for the requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill.

Amazon configuration

  1. Create a new S3 bucket to store the access logs in it. If you want to use an existing one, skip this step.

  2. Go to Services > Storage > S3:

  3. Look for the S3 bucket you want to monitor and click on its name:

  4. Go to the Properties tab, scroll down until you find the Server access logging, and click on the Edit button:

  5. Check the Enable option, and click on the Browse S3 button to look for the bucket in which you want S3 Server Access logs to be stored:

    Note

    It is possible to store the S3 Server Access logs in the same bucket to be monitored. It is also possible to specify a custom path inside the bucket to store the logs in it.

  6. Finally, click on the Save changes. S3 Server Access logs will start to be stored in the specified path.

Policy configuration

To create a policy using the Amazon Web Services console, follow the AWS documentation.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the ThreatLockDown user.

To allow an AWS user to use the module with read-only permissions, it must have a policy like the following attached:

 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket"
             ],
             "Resource": [
                 "arn:aws:s3:::<bucket-name>/*",
                 "arn:aws:s3:::<bucket-name>"
             ]
         }
     ]
 }

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<bucket-name>/*",
                 "arn:aws:s3:::<bucket-name>"
             ]
         }
     ]
 }

Note

<bucket-name> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Once a policy has been created, there are different methods available to attach it to a user, such as attaching it directly or to a group to which the user belongs. More information on how to perform those tasks on the AWS documentation.

ThreatLockDown configuration

  1. Open the ThreatLockDown configuration file (/var/ossec/etc/ossec.conf) and add the following block:

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>10m</interval>
      <run_on_start>yes</run_on_start>
      <skip_on_error>yes</skip_on_error>
      <bucket type="server_access">
        <name>wazuh-aws-wodle</name>       <!-- PUT HERE THE S3 BUCKET CHOSEN IN STEP 5 -->
        <path>waf</path>                   <!-- PUT HERE THE PATH TO THE LOGS CHOSEN IN STEP 5 IF THE LOGS ARE NOT STORED IN THE BUCKET'S ROOT PATH -->
        <aws_profile>default</aws_profile>
      </bucket>
    </wodle>
    

    Note

    Check the AWS S3 module reference manual to learn more about each setting.

  2. Restart ThreatLockDown in order to apply the changes:

    • If you're configuring a ThreatLockDown manager:

      # systemctl restart wazuh-manager
      
    • If you're configuring a ThreatLockDown agent:

      # systemctl restart wazuh-agent