Ingesting Cloud Custodian Logs into Sumo Logic (Part 1)

A setup for Cloud Custodian to deliver the logs into the Sumo Logic

In this story, we will discuss all the components that are required to have the logs shipped from the s3 bucket to Sumo Logic. As we all know, the Cloud Custodian does not have a GUI or front end. This is one method, where you can send the Cloud Custodian outputs to your chosen SIEM solution and parse logs to write various queries as needed. Using this approach, we are identifying all non-compliant items, comparing historical data to show the improvement over time, tallying all filtered items, doing checks on policies health, able to export the findings for every single policy to send this to the development team for remediation, drawing dashboards for encryption-related or tagging or anything else. The whole point here is it gives you insight into everything to tell you the story to your management and cloud governance committee.

[1] Create the S3 Bucket: Let’s say you have 50+ AWS accounts. Consider creating one centralized bucket within the management plane (say Security Account) and have Custodian send the output for all accounts to this s3 bucket. Enable the default encryption and MFA delete on this bucket. In the permissions turn ON the block public access. Create the bucket policy that will allow access to 50 accounts to Get and Put objects within this bucket. The below bucket policy is only for illustration purposes.

--

--

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.