LogRhythm Setup with AWS
Architecture:
Procedure:
Step 1:
Create S3 bucket in Security-IRM.
Set following bucket policy to allow CloudTrail to check the bucket ACLs and put objects in specific S3 paths:
Create a lifecycle configuration rule to have 1 day retention.
Step 2:
Create SNS in Master Account.
Append the following Access policy to allow CloudTrail to publish content to SNS topic and allow Secuirty-IRM to subscribe to this SNS topic:
Step 3:
Create SQS in Security-IRM and subscribe to the above SNS topic ARN.
Step 4:
Create a KMS in Master account.
Append the following key policy statements for allowing CloudTrail to generate KMS date keys for encryption of logs being placed in S3 bucket and for Security-IRM users to decrypt with the KMS key:
Step 5:
Create organization trail in Master account with above Security IRM S3, KMS key ARN, SNS topic ARN.
Step 6:
Create IAM User in Security-IRM with permissions of S3 and SQS Read Only Access and note down the Access key and Secret access key.
Step 7:
Update LogRhythm with following details:
- IAM User Access key
- IAM User Secret access key
- S3 bucket logs path
- SQS ARN
