Using AWS SQS v2 via Federated IDs to ingest logs to GSecOps
I have been trying to ingest AWS Cloudtrail logs into google secops using Federated IDs, I have gone through all the documentation of creating an IAM role, attaching policies as well as setting up Trust relationship for the same and SQS policy too but still I have not been able to have any success. Would really appreciate if I can get some eyes on this.
I have looked at similar conversations on the community and tweaked by implementation as per that but still havent had any luck
Adding my IAM Role details below and :
- IAM Trust Policy
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:sub": "SUBJECT_ID_FROM_STEP_1"
}
}
}
]
}
- IAM permissions with the policies attached:
- S3FullAccess
- SQSFullAccess
- Custom Policy for Google Secops cloudtrail role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject","s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::AWS_BUCKET_NAME/*",
"arn:aws:s3:::AWS_BUCKET_NAME"
]
},
{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:REGION:ACCOUNT_ID:QUEUE_NAME"
}
]
}
SQS queue role below :
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_ID:role/ROLE_NAME"
},
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],
"Resource": "arn:aws:sqs:REGION:ACCOUNT_ID:QUEUE_NAME"
}
- Also, I have already setup AWS Cloudtrail Feed with source type AMAZON_SQS_V2 and after setting this up is where I got my Subject ID from.
