Collect AWS IAM logs

This document explains how to ingest AWS Identity and Access Management (IAM) configuration data to Google Security Operations using the Third Party API feed.

The AWS IAM parser transforms the IAM entity data (users, groups, roles, and policies) into the structured Unified Data Model (UDM), extracting fields like user details, role information, permissions, and timestamps for consistent security analysis.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• Privileged access to AWS Console
• Permissions to create IAM users and policies

Get Google SecOps IP ranges

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. Make a note of the IP ranges displayed at the top of the page.
   • Alternatively, retrieve IP ranges programmatically using the Feed Management API.

Create an IAM user with required permissions

CRITICAL: To allow Google SecOps to retrieve AWS IAM data using the API, you must create an IAM user with appropriate read permissions.

Option A: Use an AWS managed policy (Recommended)

1. Create a User following the instructions in this guide: Creating an IAM user.
2. Select the created User.
3. Select the Security credentials tab.
4. Click Create Access Key in the Access Keys section.
5. Select Third-party service as Use case.
6. Click Next.
   • Optional: Add a description tag.
7. Click Create access key.
8. Click Download .csv file to save the Access Key ID and Secret Access Key for future reference.
9. Click Done.
10. Select the Permissions tab.
11. Click Add permissions in the Permissions policies section.
12. Select Add permissions.
13. Select Attach policies directly.
14. Search for IAMReadOnlyAccess (AWS managed policy).
15. Select the policy.
16. Click Next.
17. Click Add permissions.

Important: The IAMReadOnlyAccess policy includes all required permissions:

• iam:GetUser
• iam:ListUsers
• iam:GetGroup
• iam:ListGroups
• iam:GetPolicy
• iam:ListPolicies
• iam:GetRole
• iam:ListRoles
• iam:ListAttachedUserPolicies
• iam:ListAttachedGroupPolicies
• iam:ListAttachedRolePolicies
• iam:GetAccountSummary

Option B: Create a custom policy (least privilege)

If your security policy requires minimal permissions instead of the managed policy:

1. In the AWS console, go to IAM > Policies > Create policy > JSON tab.

2. Paste the following policy:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "iam:GetUser",
           "iam:ListUsers",
           "iam:GetGroup",
           "iam:ListGroups",
           "iam:GetPolicy",
           "iam:ListPolicies",
           "iam:GetRole",
           "iam:ListRoles",
           "iam:ListAttachedUserPolicies",
           "iam:ListAttachedGroupPolicies",
           "iam:ListAttachedRolePolicies",
           "iam:GetAccountSummary"
         ],
         "Resource": "*"
       }
     ]
   }
   

3. Click Next.

4. Name the policy chronicle-iam-api-read-policy.

5. Click Create policy.

6. Create a User following the instructions in this guide: Creating an IAM user.

7. Select the created User.

8. Select the Security credentials tab.

9. Click Create Access Key in the Access Keys section.

10. Select Third-party service as Use case.

11. Click Next.

    • Optional: Add a description tag.

12. Click Create access key.

13. Click Download .csv file to save the Access Key ID and Secret Access Key for future reference.

14. Click Done.

15. Select the Permissions tab.

16. Click Add permissions in the Permissions policies section.

17. Select Add permissions.

18. Select Attach policies directly.

19. Search for and select chronicle-iam-api-read-policy.

20. Click Next.

21. Click Add permissions.

Configure a feed in Google SecOps to ingest IAM configuration data

The AWS IAM feed collects one IAM entity list per feed, selected by the API type field (Users, Roles, or Groups). To collect all IAM entities, create one feed for each API type, all using the AWS IAM log type.

Using the Content Hub (recommended)

1. Go to Content Hub > Content Packs > Get Started.
2. Click the Amazon Cloud Platform pack.
3. Find the AWS IAM log type in the list.
4. Select Third party API from the Source Type drop-down.
5. Provide the following configuration details:
   • Username: The Access Key ID from the IAM user created earlier.
   • Secret: The Secret Access Key from the IAM user created earlier.
   • API type: Select the IAM entity list to collect: Users, Roles, or Groups.
   • Feed Name: A prepopulated value that identifies the feed (for example, AWS IAM Users).
   • Asset Namespace: Namespace associated with the feed.
   • Ingestion Labels: Labels applied to all events from this feed.
6. Click Create feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.

Using SIEM settings

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. On the next page, click Configure a single feed.
4. In the Feed name field, enter a name for the feed (for example, AWS IAM API Configuration).
5. Select Third party API as the Source type.
6. Select AWS IAM as the Log type.
7. Click Next.
8. Specify values for the following input parameters:
   • Username: The Access Key ID from the IAM user created earlier.
   • Secret: The Secret Access Key from the IAM user created earlier.
   • API type: Select the IAM entity list to collect: Users, Roles, or Groups.
   • Asset namespace: The asset namespace.
   • Ingestion labels: The label to be applied to the events from this feed.
9. Click Next.
10. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM mapping table

Change Log

View the Change Log for this parser

Need more help? Get answers from Community members and Google SecOps professionals.