A knowledge base article about How to Send AWS CloudWatch Logs to UC Berkeley Security provided by the UC Berkeley IT Service Hub - Knowledge Portal

Sending AWS Logs to Security from a bCloud-managed AWS Account

AWS CloudWatch logs can be sent to Security’s CloudWatch log destinations using CloudWatch subscription filters. A CloudWatch Subscription Filter needs to be created for each CloudWatch LogGroup that will be sent to a Security CloudWatch log destination. Each CloudWatch LogGroup can have up to 2 CloudWatch Subscription Filters and there is no additional cost for the filter

The CloudWatch Subscription Filters must assume an IAM Role with permission to send logs to Security’s Cloudwatch log destinations. An IAM Role, named allow-send-cloudwatch-to-security, has already been created in all bCloud managed AWS Accounts.

It is not currently possible to assign an IAM Role to a CloudWatch Subscription Filter using the AWS Console. Instead, the AWS CLI, CloudFormation, Terraform, or another tool leveraging the AWS API must be used.

There are a few AWS services that do not currently support logging to a CloudWatch LogGroup, like Application Load Balancers. Security is developing a process to accept these logs in the future.

What Logs should NOT be sent to Security

VPC Flow logs should be sent to a CloudWatch LogGroup within your AWS account, but these should NOT be sent to a Security CloudWatch log destination
- Security is running a separate tool that ingests these VPC Flows directly from CloudWatch.

Security’s CloudWatch Logs Destinations

CloudWatch Subscription Filters can only send logs to a CloudWatch Logs destination in the same region. Security has created a CloudWatch log destination in all regions enabled in the bCloud AWS Organization. Their ARNs are available to campus bCloud users by emailing security-logs@berkeley.edu.

IAM Role assumed by CloudWatch to send logs to a Security CloudWatch log destination

A role has been created in all bCloud managed AWS Accounts with the required permissions to send CloudWatch logs to a Security CloudWatch log destination. The ARN of this role is:

arn:aws:iam::<AWS Account ID>:role/allow-send-cloudwatch-to-security

<AWS Account ID> must be replaced with your AWS Account ID when you configure the subscription filter to send logs to Security.

How to Configure a CloudWatch Subscription Filter for Security’s Log Correlation Program

For each of the following examples, the following parameters will be used:

Parameter	Value	Notes
LogGroup	/aws/lambda/my-lambda	Change to the name of the sending CloudWatch LogGroup
Filter Name	security-cloudwatch-logging	Subscription Filter name, do not change
Filter Pattern	“”	CloudWatch Subscription Filters support using Filter Patterns to filter what logs get sent. Unless requested by Security, this should be set to "" to send all logs
AWS Region	us-west-2	Change to the region of the sending CloudWatch LogGroup
AWS Account ID	111111111111	Change to your AWS account ID

How to Configure a CloudWatch Subscription Filter using the AWS CLI

This command will create a CloudWatch Subscription Filter to send logs to Security. Parameters in angle brackets like <xxx> should be replaced with values matching your infrastructure.

aws logs put-subscription-filter \
--log-group-name "<LogGroup>" \
--filter-name "<Filter Name>" \
--filter-pattern "<Filter Pattern>" \
--destination-arn "arn:aws:logs:<AWS Region>:<ISO log account number>:destination:security-cloudwatch-destination"

--role-arn "arn:aws:iam::<AWS Account ID>:role/allow-send-cloudwatch-to-security"

With example values:

aws logs put-subscription-filter \
--log-group-name "/aws/lambda/my-lambda" \
--filter-name "security-cloudwatch-logging" \
--filter-pattern "" \
--destination-arn "arn:aws:logs:us-west-2:<ISO log account number>:destination:security-cloudwatch-destination"

--role-arn "arn:aws:iam::111111111111:role/allow-send-cloudwatch-to-security"

How to Configure a CloudWatch Subscription Filter using Terraform

The aws_cloudwatch_log_subscription_filter resource can be used to create a CloudWatch Subscription Filter for a CloudWatch LogGroup.

resource "aws_cloudwatch_log_subscription_filter" "cloudwatch-to-security" {
log_group_name = "<LogGroup>"

name = "<Filter Name>"

filter_pattern = "<Filter Pattern>"

destination_arn = "arn:aws:logs:<AWS Region>:<ISO log account number>:destination:security-cloudwatch-destination"

role_arn = "arn:aws:iam::<AWS Account ID>:role/allow-send-cloudwatch-to-security"
}

With example values:

resource "aws_cloudwatch_log_subscription_filter" "cloudwatch-to-security" {
log_group_name = "/aws/lambda/my-lambda"

name = "security-cloudwatch-logging"
filter_pattern = ""
destination_arn = "arn:aws:logs:us-west-2:<ISO log account number>:destination:security-cloudwatch-destination"

role_arn = "arn:aws:iam::111111111111:role/allow-send-cloudwatch-to-security"
}

How to Configure a CloudWatch Subscription Filter using CloudFormation

The AWS::Logs::SubscriptionFilter Type can be used in CloudFormation templates to create a CloudWatch Subscription Filter for a CloudWatch LogGroup.

Type: AWS::Logs::SubscriptionFilter
Properties:

LogGroupName: <LogGroup>

FilterPattern: <Filter Pattern>

DestinationArn: arn:aws:logs:<AWS Region>:<ISO log account number>:destination:security-cloudwatch-destination
RoleArn: arn:aws:iam::<AWS Account ID>:role/allow-send-cloudwatch-to-security

With example values

Type: AWS::Logs::SubscriptionFilter
Properties:
LogGroupName: /aws/lambda/my-lambda

FilterPattern: ""

DestinationArn: arn:aws:logs:<AWS Region>:<ISO log account number>:destination:security-cloudwatch-destination
RoleArn: arn:aws:iam::111111111111:role/allow-send-cloudwatch-to-security