Amazon Web Services (AWS) Integration

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/wazuh/wazuh-dashboard-plugins/llms.txt

Use this file to discover all available pages before exploring further.

​

Overview

​

Supported AWS Services

• CloudTrail - API activity and governance logs
• S3 - Storage bucket access and operations
• VPC Flow Logs - Network traffic monitoring
• GuardDuty - Threat detection service events
• CloudWatch - Monitoring and logging events
• IAM - Identity and access management activities
• EC2 - Compute instance events
• Config - Resource configuration tracking
• WAF - Web Application Firewall logs
• Inspector - Security assessment findings
• Macie - Data security and privacy events

​

Key Features

• Real-time security event collection via AWS API
• Multi-account monitoring support
• Multi-region event aggregation
• S3 bucket-based log ingestion
• Automatic event parsing and enrichment
• Pre-built dashboards and visualizations

​

Data Source Configuration

const AWS_GROUP_KEY = 'wazuh.integration.name';
const AWS_GROUP_VALUE = 'aws';

​

Event Fields

• data.aws.source - AWS service source (CloudTrail, S3, etc.)
• data.aws.accountId - AWS account identifier
• data.aws.region - AWS region where event occurred
• data.aws.log_info.s3bucket - S3 bucket containing logs

​

Setup and Configuration

​

Prerequisites

• AWS account with appropriate permissions
• Wazuh manager with AWS module enabled
• API credentials (Access Key ID and Secret Access Key)
• S3 buckets configured for log storage (optional)

​

Configuration Steps

1. Create IAM User
   • Create a dedicated IAM user for Wazuh integration
   • Attach appropriate policies for log access
   • Generate access keys
2. Configure Required Permissions
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "s3:GetObject",
           "cloudtrail:LookupEvents",
           "cloudtrail:GetTrailStatus",
           "guardduty:ListDetectors",
           "guardduty:GetFindings",
           "guardduty:ListFindings"
         ],
         "Resource": "*"
       }
     ]
   }
   
3. Configure Wazuh Manager
   • Edit /var/ossec/etc/ossec.conf
   • Add AWS module configuration
   • Specify credentials and services to monitor
4. Enable AWS Integration
   <wodle name="aws-s3">
     <disabled>no</disabled>
     <interval>10m</interval>
     <run_on_start>yes</run_on_start>
     <skip_on_error>yes</skip_on_error>
     <bucket type="cloudtrail">
       <name>your-cloudtrail-bucket</name>
       <access_key>YOUR_ACCESS_KEY</access_key>
       <secret_key>YOUR_SECRET_KEY</secret_key>
     </bucket>
   </wodle>
   
5. Verify Configuration
   • Restart Wazuh manager
   • Check logs for successful connection
   • Verify events appear in dashboard

​

Dashboard Visualizations

​

Overview Dashboard

• Sources - Pie chart showing top AWS services generating events
• Accounts - Distribution of events across AWS accounts
• Buckets - Top S3 buckets by event volume
• Regions - Geographic distribution of AWS events
• Events Over Time - Timeline of AWS security events

• plugins/main/public/components/overview/amazon-web-services/dashboards/dashboard_panels.ts:8
• plugins/main/public/components/overview/amazon-web-services/dashboards/dashboard_panels.ts:69
• plugins/main/public/components/overview/amazon-web-services/dashboards/dashboard_panels.ts:132

​

Filtering Events

wazuh.integration.name: "aws"

• By service: data.aws.source: "cloudtrail"
• By account: data.aws.accountId: "123456789012"
• By region: data.aws.region: "us-east-1"
• By S3 bucket: data.aws.log_info.s3bucket: "my-logs-bucket"

​

Use Cases

​

Security Monitoring

• Track unauthorized API calls
• Monitor privilege escalation attempts
• Detect suspicious IAM activities
• Identify unusual data access patterns

​

Compliance Auditing

• PCI DSS compliance monitoring
• HIPAA audit trail verification
• GDPR data access logging
• SOC 2 access control validation

​

Threat Detection

• GuardDuty findings analysis
• Anomalous network traffic detection
• Malicious IP address identification
• Cryptocurrency mining detection

​

Operational Monitoring

• Resource provisioning tracking
• Configuration change detection
• Service availability monitoring
• Cost optimization insights

​

Troubleshooting

​

No Events Appearing

• Verify AWS credentials are correct
• Check IAM permissions are sufficient
• Ensure AWS module is enabled in Wazuh
• Verify S3 bucket names and paths
• Check network connectivity to AWS API

​

Missing Events from Specific Services

• Confirm service logging is enabled in AWS
• Verify logs are being written to S3
• Check CloudTrail configuration
• Ensure service is supported by integration

​

Performance Issues

• Adjust polling intervals
• Configure specific services instead of all services
• Use S3-based log collection for high volume
• Implement log filtering at source

​

Security Best Practices

1. Use Least Privilege - Grant only necessary permissions
2. Rotate Credentials - Regularly rotate access keys
3. Enable MFA - Require multi-factor authentication
4. Monitor the Monitor - Track integration access patterns
5. Encrypt Credentials - Store credentials securely
6. Use IAM Roles - Prefer roles over static credentials when possible

​

Related Resources

• Cloud Integrations Overview
• Google Cloud Integration
• Threat Hunting
• Compliance Modules