– To integrate Cloudwatch with Precinct, we need to create Access Keys (see: https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html)
– The Access Keys need the following permissions:
o CloudTrailAgentServerPolicy
o CloudWatchAgentServerPolicy
– Plug the Access and Secret key into the WitFoo Precinct UI at Admin -> SOAR -> Amazon Web Services Cloudwatch -> Config, click Enable, then SaveĀ icon.
As a quick overview, logging follows this workflow:
– The AWS Network logs communications to Cloudwatch in Cloudtrail format. This is enabled by default.
– Cloudwatch agents on servers send logs to Cloudwatch (see: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Agent-commandline-fleet.html)
o Be sure to note that if you enable new services (Apache, Mail, etc), the Cloudwatch configuration needs to be enabled for those services.
– Precinct will make an API call to Cloudwatch using the integration above to ingest and analyze all of those records.