Skip to main content
Solved

AWS Context EC2 / IAM Logs SECOPS

  • December 22, 2025
  • 3 replies
  • 92 views
Uppin
Forum|alt.badge.img+1

We are facing the issue where we are not able to ingest the AWS EC2 , ECS , IAM and VPC, We are using these logs types as AWS context data to enrich the Guarduty and Cloudtrail logs. 

We are using the thirdparty api to ingest the logs and providing the access and secret key to fetech the data and relevant permission are already in place.

Does anybody faced the same issue?

Best answer by bweidel

Hi ​@Uppin, Google Support is really good at helping with keys and troubleshooting keys, if you need assistance there. 

I have also seen cases where cloud providers might not allow their data to be exported, if classified as compliance data such as FedRAMP for example, they may not allow any external export of that data.  You might want to verify you can manually pull anything from that cloud service?  Just trying to see if it’s a sending issue or a receiving issue.

I do still lean toward you probably will need to dump the AWS data to a bucket before accessing, which is the most common way we typically see ingestion of this type of data. Our documentation for setting up ingestion of AWS Guard-Duty & AWS Cloudtrail both have steps where we pull from the S3 Bucket. I don’t think AWS allows direct 3P API to pull from their cloud directly and export to external SIEM. 
https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/guard-duty
https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/aws-cloudtrail

If you do a Google Search: “Can you ingest AWS EC2 metadata via an API from AWS EC2 to external SIEM?” It says:  “Yes, you can ingest AWS EC2 metadata into an external SIEM, but not by a direct API pull from the EC2 instance itself to an external destination. Instead, you need to use a multi-step process involving AWS services and a data forwarding mechanism. The Instance Metadata Service (IMDS) is only accessible from within the instance.“  Of course you should reach out to AWS to verify.

    3 replies

    bweidel
    Staff
    Forum|alt.badge.img+1
    • bweidel
    • Staff
    • December 23, 2025

    To ingest AWS services into Google SecOps, you generally do not connect directly to the service (e.g., there is no direct "Connect to EC2" button). Instead, you configure AWS to dump logs into an S3 Bucket, and then configure Google SecOps to read from that bucket.

    Here is the breakdown of how to ingest each specific service you requested.

    1. AWS IAM & EC2/ECS (Management Events)

    Ingestion Method: AWS CloudTrail

    To monitor IAM (user activity, role changes) and the "Management" side of EC2/ECS (instances starting, containers deploying), you use CloudTrail.

    • AWS Side:

      1. Enable CloudTrail.

      2. Configure it to export logs to an S3 Bucket.

      3. (Optional but recommended) Configure an SQS queue to receive notifications when new logs arrive in the bucket (this makes ingestion faster/near real-time).

    • Google SecOps Side:

      1. Go to Settings > Feeds.

      2. Source Type: Amazon S3 (or Amazon SQS if you set up the queue).

      3. Log Type: AWS_CLOUDTRAIL.

    2. AWS VPC (Network Traffic)

    Ingestion Method: VPC Flow Logs

    To see network traffic (accept/reject traffic between IPs/Interfaces), you use Flow Logs.

    • AWS Side:

      1. Go to your VPC dashboard.

      2. Select your VPCs and create a Flow Log.

      3. Destination: Send to an S3 Bucket.

      4. Format: Use the default AWS format or compatible JSON/CSV.

    • Google SecOps Side:

      1. Go to Settings > Feeds.

      2. Source Type: Amazon S3.

      3. Log Type: AWS_VPC_FLOW.

    3. AWS EC2 (Instance/OS Logs)

    Ingestion Method: Agent or Forwarder

    "EC2 ingestion" is ambiguous. If you want to see who created the VM, use CloudTrail (Step 1). If you want to see the Linux/Windows logs inside the VM (SSH logins, sudo commands, PowerShell):

    • Method A (Agent - Preferred): Install the Google BindPlane agent or the legacy Chronicle Forwarder on the EC2 instances. Configure them to send Syslog/Windows Event Logs directly to your SecOps forwarder endpoint.

      • Log Type: NIX_SYSTEM, WINEVTLOG, etc.

    • Method B (Agentless - S3): Install the CloudWatch agent on instances -> send logs to CloudWatch -> Export CloudWatch to S3 -> Ingest S3 into SecOps.

      • Log Type: Depends on the OS (e.g., LINUX_SYSLOG).

    4. AWS ECS (Container Logs)

    Ingestion Method: FireLens or CloudWatch export

    • Management: To see task definitions being updated or services scaling, use CloudTrail (Step 1).

    • Application Logs: To see the stdout/stderr from the containers themselves:

      • AWS Side: Configure your ECS Task Definition to use the awslogs driver (sending logs to CloudWatch) or firelens (custom routing).

      • Pipeline: CloudWatch Logs -> Kinesis Firehose -> S3 Bucket.

      • Google SecOps Side: Create a feed for that S3 bucket.

      • Log Type: This is custom. If your apps output JSON, use a generic JSON parser or build a custom parser. If they are standard web servers (Nginx/Apache), use NGINX_ACCESS or APACHE_ACCESS.

    Critical Step: Authentication

    For Google SecOps to access your S3 buckets, you must create an IAM User (or Role) in AWS with s3:GetObject and s3:ListBucket permissions for those specific buckets. You will need to copy the Access Key ID and Secret Access Key into the Feed configuration in Google SecOps.

    Uppin
    Forum|alt.badge.img+1
    • Uppin
    • Author
    • New Member
    • December 28, 2025

    @bweidel Thanks for sharing the detailed integration steps.

    In my case i’m referring to AWS Context data which pulls the metadata of ec2 , ecs, vpc & IAM as this can be integrated via the API integration as per the google docs. 

    If you go to the feeds and select api integration will see aws ec2 and so on feeds where we need to provide the access and secret key.

    bweidel
    Staff
    Forum|alt.badge.img+1
    • bweidel
    • Staff
    • Answer
    • December 30, 2025

    Hi ​@Uppin, Google Support is really good at helping with keys and troubleshooting keys, if you need assistance there. 

    I have also seen cases where cloud providers might not allow their data to be exported, if classified as compliance data such as FedRAMP for example, they may not allow any external export of that data.  You might want to verify you can manually pull anything from that cloud service?  Just trying to see if it’s a sending issue or a receiving issue.

    I do still lean toward you probably will need to dump the AWS data to a bucket before accessing, which is the most common way we typically see ingestion of this type of data. Our documentation for setting up ingestion of AWS Guard-Duty & AWS Cloudtrail both have steps where we pull from the S3 Bucket. I don’t think AWS allows direct 3P API to pull from their cloud directly and export to external SIEM. 
    https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/guard-duty
    https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/aws-cloudtrail

    If you do a Google Search: “Can you ingest AWS EC2 metadata via an API from AWS EC2 to external SIEM?” It says:  “Yes, you can ingest AWS EC2 metadata into an external SIEM, but not by a direct API pull from the EC2 instance itself to an external destination. Instead, you need to use a multi-step process involving AWS services and a data forwarding mechanism. The Instance Metadata Service (IMDS) is only accessible from within the instance.“  Of course you should reach out to AWS to verify.

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.