Collect AWS S3 server access logs
This document explains how to collect AWS S3 server access logs by setting up a Google Security Operations feed. The parser extracts fields using grok patterns, handles potential JSON input, and maps the extracted fields to the UDM. It performs data transformations, type conversions, and conditional logic based on the presence and values of specific fields to ensure accurate UDM representation.
Before you begin
Ensure you have the following prerequisites:
- Google SecOps instance
- Privileged access to AWS
How to configure AWS S3 server access logging
Google SecOps supports log collection using Amazon S3 through Amazon SQS.
- Sign in to the AWS Management console.
- Access the Amazon S3 console.
- Go to Amazon S3 > Buckets.
- Select an existing bucket or create a new one.
- Click Properties.
- In the Server access logging section, click Edit.
- Select Enable.
- In the Target bucket field, enter a name for the new bucket to send the log record objects to or select an existing bucket as the target.
- Click Save changes.
- To create the SQS queue for the S3 bucket, configure an Amazon SQS instance with the S3 storage. For more information, see Configuring a bucket for notifications (SNS topic or SQS queue).
Based on the service and region, identify the endpoints for connectivity by referring to the following AWS documentation:
- For information about any logging source, see AWS Identity and Access Management endpoints and quotas.
- For information about S3 logging sources, see Amazon Simple Storage Service endpoints and quotas.
- For information about SQS logging sources, see Amazon Simple Queue Service endpoints and quotas.
Set up feeds
There are two different entry points to set up feeds in the Google SecOps platform:
- SIEM Settings > Feeds > Add New Feed
- Content Hub > Content Packs > Get Started
How to set up the AWS S3 Service Access feed
- Click the Amazon Cloud Platform pack.
- Locate the AWS S3 Service Access log type.
- Google SecOps supports log collection using an access key ID and secret method. To create the access key ID and secret, see Configure tool authentication with AWS.
- Specify the values in the following fields. - Source Type: Amazon SQS V2
- Queue Name: The SQS queue name to read from
- S3 URI: The bucket URI.
- s3://your-log-bucket-name/- Replace your-log-bucket-namewith the actual name of your S3 bucket.
 
- Replace 
 
- Source deletion options: Select the deletion option according to your ingestion preferences. 
- Maximum File Age: Include files modified in the last number of days. Default is 180 days. 
- SQS Queue Access Key ID: An account access key that is a 20-character alphanumeric string. 
- SQS Queue Secret Access Key: An account access key that is a 40-character alphanumeric string. 
 - Advanced options - Feed Name: A prepopulated value that identifies the feed.
- Asset Namespace: Namespace associated with the feed.
- Ingestion Labels: Labels applied to all events from this feed.
 
- Click Create feed. 
For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.
UDM Mapping Table
| Log Field | UDM Mapping | Logic | 
|---|---|---|
| aclRequired | target.resource.attribute.labels.key: "aclRequired"target.resource.attribute.labels.value: Value ofaclRequired | Directly mapped from the raw log field aclRequired. | 
| authenticationtype | extensions.auth.auth_details | Directly mapped from the raw log field authenticationtype. | 
| bucket | target.resource.name | Directly mapped from the raw log field bucket. | 
| bucket | target.resource.resource_type: "STORAGE_BUCKET" | The parser sets the resource_typeto "STORAGE_BUCKET" if thebucketfield is present. | 
| bucketowner | target.resource.product_object_id | Directly mapped from the raw log field bucketowner. | 
| bytes_sent | network.sent_bytes | Directly mapped from the raw log field bytes_sentafter converting it to an unsigned integer and replacing "-" with "0". | 
| ciphersuite | network.application_protocol: "HTTPS" | The parser sets the application_protocolto "HTTPS" if theciphersuitefield is present. | 
| ciphersuite | network.tls.cipher | Directly mapped from the raw log field ciphersuite. | 
| errorcode | security_result.action_details | Directly mapped from the raw log field errorcode. | 
| errorcode | security_result.action: "BLOCK" | The parser sets the actionto "BLOCK" if theerrorcodefield contains "AccessDenied" (case-insensitive). | 
| hostheader | target.hostname | Extracted from the raw log field hostheader, potentially removing the port number. | 
| hostheader | target.port | Extracted from the raw log field hostheaderif a port number is present. | 
| hostid | target.resource.attribute.labels.key: "S3 Extended Request ID"target.resource.attribute.labels.value: Value ofhostid | Directly mapped from the raw log field hostid. | 
| http_capture | network.http.method | The HTTP method is extracted from the http_capturefield. | 
| http_capture | network.http.version | The HTTP version is extracted from the http_capturefield. | 
| http_capture | target.url | The target URL is constructed using hostheaderandhttp_request_uri(extracted fromhttp_capture), prefixed with "http://" or "https://" based on the presence ofciphersuite. | 
| httpstatus | network.http.response_code | Directly mapped from the raw log field httpstatusafter converting it to an integer. | 
| object_version_id | target.resource.product_object_id | Directly mapped from the raw log field object_version_id. | 
| objectsize | target.file.size | Directly mapped from the raw log field objectsizeafter converting it to an unsigned integer and replacing "-" with "0". | 
| operation | metadata.product_event_type | Directly mapped from the raw log field operation. | 
| referrer | network.http.referral_url | Directly mapped from the raw log field referrerafter removing quotes. | 
| remoteip | metadata.event_type: "USER_RESOURCE_ACCESS" | The parser sets the event_typeto "USER_RESOURCE_ACCESS" if theremoteipfield is empty. | 
| remoteip | principal.ip | Directly mapped from the raw log field remoteip. | 
| requester | target.resource.attribute.labels.key: "Access Point ARN"target.resource.attribute.labels.value: Value ofrequester | Directly mapped from the raw log field requester. | 
| requester_user | principal.user.userid | Directly mapped from the raw log field requester_user. | 
| requestid | network.session_id | Directly mapped from the raw log field requestid. | 
| request_time_ms | network.session_duration.nanos | Directly mapped from the raw log field request_time_msafter converting it to an integer, replacing "-" with "0", and padding with zeros to represent nanoseconds. | 
| signatureversion | target.resource.attribute.labels.key: "Signature Version"target.resource.attribute.labels.value: Value ofsignatureversion | Directly mapped from the raw log field signatureversion. | 
| time | metadata.event_timestamp | Parsed from the raw log field timeand converted to a timestamp. | 
| tlsVersion | network.tls.version | Directly mapped from the raw log field tlsVersion. | 
| useragent | network.http.user_agent | Directly mapped from the raw log field useragentafter removing quotes. | 
| (Parser Logic) | metadata.event_type: "NETWORK_HTTP" | The parser sets the default event_typeto "NETWORK_HTTP". | 
| (Parser Logic) | metadata.log_type: "AWS_S3_SERVER_ACCESS" | The parser sets the log_typeto "AWS_S3_SERVER_ACCESS". | 
| (Parser Logic) | metadata.product_name: "AWS S3 Server Access" | The parser sets the product_nameto "AWS S3 Server Access". | 
| (Parser Logic) | metadata.product_version: "HTTP/http_version" | The parser sets the product_versionusing the extractedhttp_version. | 
| (Parser Logic) | metadata.vendor_name: "AMAZON" | The parser sets the vendor_nameto "AMAZON". | 
| (Parser Logic) | network.application_protocol: "HTTP" | The parser sets the application_protocolto "HTTP" if theciphersuitefield is not present. | 
| (Parser Logic) | timestamp | The parser sets the event timestampto the current time when the event is processed. | 
Need more help? Get answers from Community members and Google SecOps professionals.