AWS VPC
Introduction
Amazon Virtual Private Cloud (Amazon VPC) lets you create a private network for your AWS resources with full control over IP address ranges, subnets, and network configurations.
Getting Started
Compatibility
vuSmartMaps supports the tracking and analysis of performance, health, and security of your Amazon Virtual Private Cloud (VPC) environment.
Data Collection Method
vuSmartMaps collects AWS VPC data using an internal data collector. This agent collects data based on the source configuration.
Prerequisites
Dependent Configuration
To configure this O11ySource, create a 'credential' of type 'aws' under the 'Definition' tab.
Inputs for Configuring Data Source
- AWS Account ID: A 12-digit number, such as 012345678901, that uniquely identifies and AWS account.
- Bucket ARN: ARN of the AWS S3 bucket that will be polled for list operation.
- AWS Credential: Access Key ID and Secret Key associated to this credential.
- Bucket List Interval (in seconds): Time interval for polling listing of the S3 bucket, default to 180 secs.
Firewall Requirement
To collect data from this O11ySource, ensure the following ports are opened:
| Source IP | Destination IP | Destination Port | Protocol | Direction |
|---|---|---|---|---|
| IP address(es) of the vuSmartmaps Server | AWS CloudWatch Endpoint | 443 | TCP | Outbound |
*Before providing the firewall requirements, please update the port based on the customer environment.
Configuring the Target
The user must have the following AWS credentials:
- Access Key ID: The Access Key ID is a crucial element of AWS. It serves as an identifier for access keys used to authenticate and authorize API requests, ensuring secure communication between various AWS services and applications
- Secret Key: In AWS, the Secret Access Key is a confidential piece of information associated with an IAM user or an AWS service account. Along with the Access Key ID, the Secret Access Key is part of an access key pair used to authenticate and authorize access to AWS services programmatically
- Bucket ARN: An Amazon Resource Name (ARN) is a unique identifier assigned to S3 buckets within AWS
Following IAM policy is required in order to pull the object from S3:
- s3:GetObject: To retrieve an object from an Amazon S3 bucket
- s3:ListBucket: To list the objects within an Amazon S3 bucket. It grants permission to view the list of objects contained within the specified bucket
- s3:GetBucketLocation: To retrieve the location (region) of an Amazon S3 bucket. It grants permission to determine the AWS region where the specified bucket is located.
Configure Flow Logs to Collect from Amazon VPC Flow Logs is a feature provided by AWS that enables you to capture information about the IP traffic going to and from network interfaces in your VPC, subnet, or network interface. Flow Logs provide visibility into the network traffic within your AWS infrastructure, allowing you to monitor and troubleshoot connectivity issues, analyze traffic patterns, and enhance security. Below is the step provide how to configure the flow logs:
- Sign in to the AWS Management Console and open the Amazon VPC console.
- From the navigation panel, choose the VPC for which you want to configure flow logs.
- In the VPC dashboard, select the "Flow Logs" tab, and then click on the "Create Flow Log" button.
- Configure the flow logs and make sure you set the destination into AWS S3 bucket to store the logs.
- In the log record format, click on custom log foramt and select the standard attributes from the drop down.
- Review the configuration settings, and then click "Create Flow Log" to create the flow log.
Configuration Steps
Enablethe AWS VPC O11ySource.- Select the sources tab and press the
+button to add a new AWS VPC instance to be monitored. - Provide the required configurations:
- *AWS Account ID
- *Bucket ARN
- *Credential
- *Bucket List Interval (in seconds)
- Click
Saveto close the data source window. - Amazon VPC O11ySource will start polling the metrics/logs.
Metrics Collected
| Name | Description | Data Type |
|---|---|---|
| @timestamp | The timestamp when the event was recorded in string format. | String |
| timestamp | The precise timestamp of the event, including milliseconds. | DateTime64 |
| account_id | The unique identifier of the account associated with the event. | String |
| action | The action performed, such as network traffic direction or resource interaction. | LowCardinality(String) |
| az_id | The availability zone identifier where the event occurred. | String |
| bytes | The number of bytes transmitted in the event. | Float64 |
| dstaddr | The destination IP address for the traffic flow. | String |
| dstport | The destination port for the traffic flow. | UInt16 |
| end_time | The timestamp indicating when the event or flow ended. | DateTime64 |
| flow_direction | The direction of the flow, e.g., inbound or outbound. | LowCardinality(String) |
| instance_id | The unique identifier of the instance associated with the event. | String |
| interface_id | The network interface identifier associated with the event. | String |
| log_status | The status of the log entry (e.g., success, failure). | LowCardinality(String) |
| packets | The number of packets transmitted during the event. | UInt64 |
| pkt_dst_aws_service | The AWS service associated with the destination IP in the traffic flow. | String |
| pkt_dstaddr | The packet-level destination IP address. | String |
| pkt_src_aws_service | The AWS service associated with the source IP in the traffic flow. | String |
| pkt_srcaddr | The packet-level source IP address. | String |
| protocol | The protocol number used in the flow (e.g., 6 for TCP, 17 for UDP). | UInt16 |
| region | The AWS region where the event occurred. | LowCardinality(String) |
| srcaddr | The source IP address for the traffic flow. | String |
| srcport | The source port for the traffic flow. | UInt16 |
| start_time | The timestamp indicating when the event or flow started. | DateTime64 |
| sublocation_id | The identifier for a specific sublocation of the event (if applicable). | String |
| sublocation_type | The type of sublocation, such as data center or zone type. | String |
| subnet_id | The identifier of the subnet involved in the event. | String |
| vpc_id | The identifier of the VPC associated with the event. | String |
| country_name | The country name associated with the IP address. | String |
| timezone | The timezone of the geographical location for the IP address. | String |
| longitude | The longitude of the geographical location for the IP address. | String |
| latitude | The latitude of the geographical location for the IP address. | String |
| bu_id | The business unit identifier associated with the event. | String |
| tenant_id | The tenant identifier associated with the event. | String |
| protocolName | The human-readable name of the protocol (e.g., TCP, UDP). | String |
| srcPortName | The human-readable name of the source port (if mapped). | String |
| dstPortName | The human-readable name of the destination port (if mapped). | String |
