Sumo Logic Security Integrations on the AWS Cloud

Quick Start Reference Deployment

November 2021
Arun Patyal and Himanshu Pal, Sumo Logic
Dilip Rajan and Vinay Maddi, AWS Data & Analytics Partner SA team
Shivansh Singh and Suresh Veeragoni, AWS Integration & Automation team

This Quick Start was created by Sumo Logic in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This Quick Start automatically deploys Sumo Logic Security Integrations on the AWS Cloud. It’s for people who want to configure the Sumo Logic console for 12 AWS services that provide security analytics for a single AWS account. With the default settings, this Quick Start deploys CloudTrail and GuardDuty apps.

Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.

Sumo Logic Security Integrations on AWS

Sumo Logic is focused on continuous intelligence, a category of software that addresses data challenges presented by digital transformations, modern applications, and cloud computing. The Sumo Logic Continuous Intelligence Platform automates the collection, ingestion, and analysis of applications, infrastructure, security, and Internet of Things (IoT) data to derive actionable insights.

This Quick Start uses Sumo Logic Cloud SIEM (security information and incident management) powered by AWS. Sumo Logic Cloud SIEM uses apps to collect security events generated by AWS and other security services to provide an aggregate view of overall security and compliance posture.

Sumo Logic has apps for each AWS security service (for example, the Sumo Logic app for AWS CloudTrail) and apps that support multiple AWS services (for example, Threat Intel for AWS). Sumo Logic customers can track user activity, monitor threats, and understand how their security posture compares with global benchmarks. Sumo Logic also uses apps to audit and help maintain compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) and Center for Internet Security (CIS).

The included template automatically creates resources that use various AWS services to collect logs, which are sent to your preregistered Sumo Logic account.

Deploying this Quick Start does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

Sumo Logic provides a free tier with unlimited queries and 30-day free trials for various licensing options. For details on pricing, visit the Sumo Logic website.

Architecture

Deploying this Quick Start with default parameters builds the following environment in a specific AWS account and Region in the AWS Cloud.

Figure 1. Quick Start architecture for Sumo Logic on AWS

As shown in Figure 1, the Quick Start sets up the following serverless architecture on AWS:

Amazon GuardDuty to detect malicious activity and behavior to protect AWS accounts and workloads.
Amazon VPC flow logs to capture information about IP traffic going to and from network interfaces in your VPC.
Amazon CloudWatch for relaying the Amazon VPC flow logs to the Lambda function.
AWS Security Hub to assess security alerts and security posture across AWS accounts. Security Hub relays security events to Amazon CloudWatch.
AWS WAF to protect your web applications from common web exploits.
AWS Config to record and evaluate configurations of your AWS resources.
AWS CloudTrail to track user activity and API (application programming interface) usage.
AWS Network Firewall to deploy essential network protections for all your Amazon virtual private clouds (VPCs).
Amazon Kinesis Data Firehose delivery streams to transfer logs from AWS WAF to the Amazon S3 bucket.
AWS Lambda functions to create a collector and multiple sources and to install apps on your Sumo Logic account.
An Amazon S3 bucket to capture logs from the various AWS services.
Amazon Simple Notification Service (Amazon SNS), which is invoked when a new object is saved to an S3 bucket.
The Sumo Logic collector and sources to receive logs from the S3 bucket.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

Before you deploy this Quick Start, be familiar with Sumo Logic. If you are new to Sumo Logic, see Getting Started with Sumo Logic.

Also be familiar with the AWS services listed in Table 1, which shows how various AWS security services map to the corresponding apps in Sumo Logic.

Table 1. Mapping of AWS services to Sumo Logic apps
AWS security service or feature	Sumo Logic apps for the following AWS services or features
AWS CloudTrail	AWS CloudTrail PCI DSS compliance for AWS CloudTrail CIS AWS Foundations Benchmark Amazon CloudTrail - Cloud Security Monitoring and Analytics Global Intelligence for AWS CloudTrail SecOps App
Amazon GuardDuty	Amazon GuardDuty Global Intelligence for Amazon GuardDuty
Amazon VPC flow logs	Amazon VPC flow logs PCI Compliance for Amazon VPC flow logs Threat Intel for AWS Amazon VPC Flow - Cloud Security Monitoring and Analytics
Amazon S3 server access logging	Amazon S3 Audit
AWS Security Hub	AWS Security Hub
AWS WAF	AWS WAF
AWS Config	AWS Config
AWS Network Firewall	AWS Network Firewall

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might need to request increases if your existing deployment currently uses these resources and if this Quick Start deployment could result in exceeding the default quotas. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resources	This deployment uses
S3 buckets	1
SNS topics	5
Lambda functions	7
AWS Identity and Access Management (IAM) roles	7
AWS CloudTrail trails	1
Amazon CloudWatch events	1
Amazon API Gateway endpoints	3
Kinesis Data Firehose delivery streams	1

Supported AWS Regions

The following table represents the Regions that are supported by the Sumo Logic Security Integrations Quick Start. Customers can ingest data from any Region to any Sumo-supported Region.

Table 2. Supported AWS Regions
Code	Name
us-east-1	US East (N. Virginia)
us-east-2	US East (Ohio)
us-west-1	US West (N. California)
ca-central-1	Canada (Central)
eu-central-1	Europe (Frankfurt)
eu-west-1	Europe (Ireland)
ap-south-1	Asia Pacific (Mumbai)
ap-northeast-1	Asia Pacific (Tokyo)
ap-southeast-2	Asia Pacific (Sydney)
us-gov-east-1	AWS GovCloud (US-East)

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Deployment options

This Quick Start provides one deployment option: you build a new AWS environment that consists of the infrastructure resources required to provision applications to your Sumo Logic account and the necessary resources to your AWS account. During the deployment, you can choose which applications to install.

Scenarios supported by this Quick Start

This Quick Start supports the following scenarios:

Scenario 1: You do not use AWS security services or Sumo Logic. You did not configure AWS to use one or more security services listed under Specialized knowledge, but you want to collect and analyze data using Sumo Logic apps. For this scenario, use this Quick Start to set up AWS security services and configure Sumo Logic.
Scenario 2: You use AWS security services but not Sumo Logic. You use the AWS security services listed under Specialized knowledge but have not configured Sumo Logic to collect data from AWS or installed the corresponding Sumo Logic apps. For this scenario, configure the auxiliary AWS services and resources to send data to Sumo Logic. This scenario also installs the corresponding Sumo Logic apps.
Scenario 3: You use AWS security services and Sumo Logic. You use the AWS security services listed under Specialized knowledge and you collect and analyze data from one or more of them in Sumo Logic. For this scenario, configure the auxiliary AWS services and resources to send data to Sumo Logic. This scenario is intended only for nonconfigured AWS security services and their corresponding Sumo Logic apps.

What you need before you deploy this Quick Start

To deploy this Quick Start, you need the following:

A Sumo Logic enterprise account. If you don’t already have one, create one at https://sumologic.com by following the on-screen instructions.
The ability to launch AWS CloudFormation templates that create IAM roles.
An understanding of how Sumo Logic resources are created for each scenario (as described earlier under Scenarios supported by this Quick Start).
- For data collection, scenario 1, a new Sumo Logic Hosted Collector called aws-quickstart-collector is created, and sources for each app are installed under it.
- For data collection scenarios 2 and 3, all existing sources can be reused. All new sources are installed under a new Sumo Logic–hosted collector called aws-quickstart-collector.
- All Sumo Logic apps are installed in a personal folder called SumoLogic Amazon QuickStart Apps, followed by the date.

The Threat Intel app can report Elastic Load Balancing (ELB) data if you are already sending that data to Sumo Logic. If you’ve already configured AWS security services to send logs to S3 buckets or SNS topics, collect the following information before you launch the Quick Start. If you did not previously configure these services, this Quick Start automatically configures these AWS services and resources when you install the Sumo Logic apps.

Sumo Logic apps	If you have done the following	Make a note of:
CloudTrail, PCI DSS compliance for AWS CloudTrail, CIS AWS foundations,Amazon CloudTrail - Cloud Security Monitoring and Analytics, Global Intelligence for AWS CloudTrail SecOps App	Configured AWS CloudTrail to send its logs to an S3 bucket.	The S3 bucket name.
Amazon VPC flow logs, PCI DSS compliance for Amazon VPC flow logs, Amazon VPC flow - Cloud Security Monitoring and Analytics	Configured Amazon VPC flow logs to send to an S3 bucket.	The S3 bucket name.
Amazon S3 Audit	Configured the access logging of S3 buckets.	The S3 bucket name.
AWS WAF	Configured AWS WAF to send a Kinesis Data Firehose delivery stream to an S3 bucket.	The S3 bucket name.
AWS Config	Configured AWS Config to deliver notifications to an SNS topic.	The SNS topic.
Threat Intel	Configured ELB logs to send data to Sumo Logic.	The ELB source category in Sumo Logic.
AWS Network Firewall	Configured Network Firewall firewall and policy.	Network Firewall policy Amazon Resource Name (ARN).
AWS Network Firewall	Have not configured Network Firewall.	VPC ID, subnet ID.

Sumo Logic apps

If you have done the following

Make a note of:

CloudTrail, PCI DSS compliance for AWS CloudTrail, CIS AWS foundations,Amazon CloudTrail - Cloud Security Monitoring and Analytics, Global Intelligence for AWS CloudTrail SecOps App

Configured AWS CloudTrail to send its logs to an S3 bucket.

The S3 bucket name.

Amazon VPC flow logs, PCI DSS compliance for Amazon VPC flow logs, Amazon VPC flow - Cloud Security Monitoring and Analytics

Configured Amazon VPC flow logs to send to an S3 bucket.

The S3 bucket name.

Amazon S3 Audit

Configured the access logging of S3 buckets.

The S3 bucket name.

AWS WAF

Configured AWS WAF to send a Kinesis Data Firehose delivery stream to an S3 bucket.

The S3 bucket name.

AWS Config

Configured AWS Config to deliver notifications to an SNS topic.

The SNS topic.

Threat Intel

Configured ELB logs to send data to Sumo Logic.

The ELB source category in Sumo Logic.

AWS Network Firewall

Configured Network Firewall firewall and policy.

Network Firewall policy Amazon Resource Name (ARN).

AWS Network Firewall

Have not configured Network Firewall.

VPC ID, subnet ID.

Deployment steps

Prepare your Sumo Logic account

If you don’t already have a Sumo Logic enterprise account, create one at https://sumologic.com by following the on-screen instructions.
Create the access key and access ID from your Sumo Logic account. These are passed as parameters when you launch the Quick Start template.

Get the organization ID from your Sumo Logic account in the Administration section under the Account tab. You must pass this ID.

If you want to use the Threat Intel app but have not configured data collection, see Threat Intel for AWS. If you already configured data collection, note the relevant Sumo Logic source category for your data.

Launch the Quick Start

Each deployment takes about 10 minutes to complete.

Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. (For details, see Planning the deployment, earlier in this guide.) Then choose the following option to deploy Sumo Logic Security Integrations. (For details, see Deployment options earlier in this guide.)

Deploy Sumo Logic Security Integrations

View template
Check the Region displayed in the upper-right corner of the navigation bar, and change it as necessary. This Region—us-east-1 by default—is where the infrastructure for the Sumo Logic app resources is built. For more information, see Supported AWS Regions earlier in this guide.
On the Create stack page, keep the default setting for the template URL, then choose Next.
On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.
On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.
On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.
Choose Create stack to deploy the stack.
Monitor the status of the stack. When the status is CREATE_COMPLETE, the Sumo Logic deployment is ready.
To view the created resources, see the values displayed in the Outputs tab for the stack.

Test the deployment

AWS account

After the deployment completes, you see the main stack, QuickStartApps, in addition to multiple nested stacks.

Figure 2. Example output of created resources

Sumo Logic account

Confirm that the AWS CloudFormation template installed the collectors and sources for your Sumo Logic apps.

Figure 3. Example output of collectors and sources

Postdeployment steps

If using an existing S3 bucket

If you use an existing S3 bucket with logs, create an SNS topic (SumoSNSTopic-{StackName}) that subscribes to the Sumo Logic sources. After the deployment completes, add that SNS topic to the S3 bucket events. For more information, see How do I enable and configure event notifications for an S3 bucket?

If using AWS WAF logs for an Amazon Kinesis Data Firehose delivery stream

If you install AWS WAF, AWS CloudFormation creates a delivery stream (QuickStartDeliveryStream{Region}) in your Kinesis configuration. You must configure Web ACL in AWS WAF to send logs to the delivery stream. For more information, see Logging Web ACL traffic information.

View the Sumo Logic dashboards

After the deployment completes, the Sumo Logic apps are added to your Sumo Logic personal-account library in a folder named SumoLogic Amazon QuickStart Apps <date>.

Figure 4. Top-level Quick Start apps folder

Under the SumoLogic Amazon QuickStart Apps <date> folder, there are subfolders that represent each app along with the date and timestamp.

Figure 5. Individual service folders

To open the services dashboard, choose its folder in the Sumo Logic console. For instance, under the Amazon GuardDuty folder, open the Amazon GuardDuty – Overview dashboard to see detected threats.

Figure 6. Amazon GuardDuty dashboard

Best practices for using Sumo Logic Security Integrations

If you want to use this Quick Start across multiple AWS accounts and Regions, rename the top-level parent folder of your Sumo Logic account (under your personal folder) to reflect the correct account and Region.

For each S3 bucket, follow the best practices documented under How can I secure the files in my Amazon S3 bucket? to secure all of your S3 objects. Sumo Logic Security Integrations can monitor the following security and compliance aspects of your AWS environment:

Threat monitoring and other security findings
Configuration and S3 Audit
PCI DSS compliance
CIS AWS compliance

Additional resources

AWS resources

AWS services used by the deployment

Sumo Logic documentation

Other Quick Start reference deployments

AWS Quick Start home page

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to Disabled. This setting is under Advanced in the AWS CloudFormation console on the Configure stack options page. With this setting, the stack’s state is retained, and the instance keeps running so that you can troubleshoot the issue. (For Windows, look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Delete the stack when you finish troubleshooting.

For additional information, see Troubleshooting AWS CloudFormation.

Q. I encountered a size-limitation error when I deployed the AWS CloudFormation templates.

A. Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template-size limitations. For more information, see AWS CloudFormation quotas.

Customer responsibility

After you successfully deploy this Quick Start, confirm that your resources and services are updated and configured — including any required patches — to meet your security and other needs. For more information, see the AWS Shared Responsibility Model.

Parameter reference

Unless you are customizing the Quick Start templates for your own deployment projects, keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Parameters for deploying the Quick Start

Table 3. Sumo Logic access configuration (required)
Parameter label (name)	Default value	Description
Sumo Logic deployment location (`Section1aSumoLogicDeployment`)	`Requires input`	Enter the geographic location of the deployment: au, ca, de, eu, jp, us2, in, fed, or us1.
Sumo Logic access ID (`Section1bSumoLogicAccessID`)	`Requires input`	Enter the Sumo Logic console access ID, which you received when you created the access key.
Sumo Logic access key (`Section1cSumoLogicAccessKey`)	`Requires input`	Enter your Sumo Logic access key. Retrieve this from your Sumo Logic account.
Sumo Logic organization ID (`Section1dSumoLogicOrganizationId`)	`Requires input`	Enter your Sumo Logic organization ID, which you can find in the Sumo Logic console, under Account.
Remove Sumo Logic resources when stack is deleted (`Section1eSumoLogicResourceRemoveOnDeleteStack`)	`true`	Choose "false" if you do not want the collector, sources, and Sumo Logic apps to be removed when the stack is deleted.

Table 4. CloudTrail app configuration
Parameter label (name)	Default value	Description
Install Sumo Logic AWS CloudTrail app (`Section2InstallCloudTrailApp`)	`Yes`	Choose No to skip installation of the app.
Install Sumo Logic PCI compliance for AWS CloudTrail app (`Section2InstallPCICloudTrailApp`)	`Yes`	Choose No to skip installation of the app.
Install Sumo Logic CIS AWS Foundations Benchmark app (`Section2InstallCISFoundationApp`)	`Yes`	Choose No to skip installation of the app.
Install Amazon CloudTrail - Sumo Cloud Security Monitoring and Analytics App (`Section2InstallCloudTrailMonitoringAnalyticsApp`)	`Yes`	Choose No to skip installation of the app.
Install Sumo Global Intelligence for AWS CloudTrail SecOps App (`Section2InstallCloudTrailSecOpsApp`)	`Yes`	Choose No to skip installation of the app.

Table 5. S3 configuration
Parameter label (name)	Default value	Description
Create a CloudTrail S3 bucket (`Section2CloudTrailCreateBucket`)	`No`	Choose Yes to create a CloudTrail S3 bucket for CloudTrail logs.
CloudTrail logs S3 bucket name (`Section2CloudTrailLogsBucketName`)	`Blank string`	Required when flag is set to No. Provide an existing bucket name that has CloudTrail logs.

Table 6. CloudTrail source configuration
Parameter label (name)	Default value	Description
Create Sumo Logic CloudTrail logs source (`Section2CloudTrailCreateLogSource`)	`Yes`	Choose No to skip creation of a Sumo Logic CloudTrail log source.
Path expression for CloudTrail logs (`Section2CloudTrailBucketPathExpression`)	`AWSLogs//CloudTrail/`	Path expression must match the folder structure for CloudTrail logs (e.g., AWSLogs//CloudTrail/).
Sumo Logic CloudTrail logs source category name (`Section2CloudTrailLogsSourceCategoryName`)	`AWS/Cloudtrail/Logs`	Required when flag is set to No. Provide an existing source category name from Sumo Logic collecting CloudTrail logs. This is used for Threat Intel for AWS app installation also.

Table 7. GuardDuty app configuration
Parameter label (name)	Default value	Description
Install Sumo Logic GuardDuty app (`Section3aInstallGuardDutyApps`)	`Both`	GuardDuty: Install Amazon GuardDuty app. GlobalGuardDutyApp: Install Global Intelligence for Amazon GuardDuty app. Both: Install both apps. Skip: Skip installation of apps.

Table 8. GuardDuty log-source configuration
Parameter label (name)	Default value	Description
Create Sumo Logic HTTP logs source (`Section3bGuardDutyCreateHttpLogsSource`)	`Yes`	Choose No to skip creation of a Sumo Logic HTTP log source to collect GuardDuty logs.
Sumo Logic HTTP logs source category name (`Section3cGuardDutyHttpLogsSourceCategoryName`)	`aws/quickstart/guardduty/logs`	Required when Guardduty HTTP LogSource is set to No. Provide an existing source category name from the GuardDuty logs. This is used for app installation.

Table 9. VPC flow logs app configuration
Parameter label (name)	Default value	Description
Install Sumo Logic VPC flow logs app (`Section4aInstallVpcApps`)	`All`	VPC: Install Amazon VPC flow logs app in Sumo Logic. PCI_VPC: Install PCI compliance VPC flow app. CSMA_VPC: Install Amazon VPC Flow - Cloud Security Monitoring and Analytics app. All: Install both apps. Skip: Skip installation of apps.

Table 10. VPC flow logs S3 configuration
Parameter label (name)	Default value	Description
Create VPC flow logs S3 bucket (`Section4bVpcCreateBucket`)	`No`	Choose Yes to create an S3 bucket for VPC flow logs.
VPC flow logs S3 bucket name (`Section4cVpcLogsBucketName`)	`Blank string`	Required when flag is set to No. Provide an existing bucket name that has VPC flow logs.

Table 11. VPC S3 source configuration
Parameter label (name)	Default value	Description
Create Sumo Logic S3 logs source (`Section4dVpcCreateS3Source`)	`Yes`	Choose No to skip creation of a Sumo Logic S3 log source.
Path expression for logs (`Section4eVpcBucketPathExpression`)	`VPC-FLOW-LOGS/*`	Path expression must match the folder structure for VPC flow logs (e.g., VPC-FLOW-LOGS/*).
Sumo Logic S3 logs source category name (`Section4fVpcLogsSourceCategoryName`)	`AWS/Vpc/Flow/Logs`	Required when flag is set to No. Provide an existing source category name from Sumo Logic collecting VPC flow logs. This is used for Threat Intel as well.

Table 12. Sumo Logic Threat Intel for AWS Config
Parameter label (name)	Default value	Description
Install Sumo Logic Threat Intel app (`Section5aInstallThreatIntelApp`)	`Yes`	Choose No to skip installation of the app.
Sumo Logic ELB category name (`Section5bElasticLoadBalancerSourceCategory`)	`elb`	Provide an existing source category from Sumo Logic that has ELB classic logs.

Table 13. Sumo Logic S3 Audit app configuration
Parameter label (name)	Default value	Description
Install Sumo Logic S3 Audit app (`Section6aInstallS3AuditApp`)	`Yes`	Choose No to skip installation of the app.

Table 14. S3 Audit S3 configuration
Parameter label (name)	Default value	Description
Create S3 Audit bucket (`Section6bS3AuditCreateBucket`)	`No`	Choose Yes to create an S3 bucket for S3 Audit logs.
S3 Audit logs bucket name (`Section6cS3AuditLogsBucketName`)	`Blank string`	Required when flag is set to No. Provide an existing S3 bucket that has audit logs.

Table 15. Sumo Logic S3 Audit source configuration
Parameter label (name)	Default value	Description
Create Sumo Logic S3 Audit logs source (`Section6dS3AuditCreateS3Source`)	`Yes`	Choose No to skip creation of the Sumo Logic S3 Audit log source.
Path expression for logs (`Section6eS3AuditBucketPathExpression`)	`S3-AUDIT-LOGS/*`	Path expression must match the folder structure for S3 Audit logs (e.g., S3-AUDIT-LOGS/*).
Sumo Logic S3 Audit logs source category name (`Section6fS3AuditLogsSourceCategoryName`)	`aws/quickstart/s3/audit/logs`	Required when flag is set to No. Provide an existing source category name from Sumo Logic collecting S3 Audit logs. This is used for app installation.

Table 16. AWS Security Hub app configuration
Parameter label (name)	Default value	Description
Install Sumo Logic AWS Security Hub app (`Section7aInstallSecurityHubAuditApp`)	`Yes`	Choose No to skip installation of the app.
Enable Security Hub for the Region (`Section7bEnableSecurityHub`)	`No`	Choose Yes if Security Hub must be enabled for the Region.

Table 17. AWS Security Hub S3 configuration
Parameter label (name)	Default value	Description
Create Security Hub S3 bucket (`Section7cSecurityHubCreateBucket`)	`No`	Choose Yes to create an S3 bucket for Security Hub logs.
Security hub logs S3 bucket name (`Section7dSecurityHubLogsBucketName`)	`Blank string`	Required when flag is set to No. Provide an existing S3 bucket that has Security Hub logs.

Table 18. Sumo Logic Security Hub S3 source configuration
Parameter label (name)	Default value	Description
Create Sumo Logic S3 logs source (`Section7eSecurityHubCreateS3Source`)	`Yes`	Choose No to skip creation of a Sumo Logic S3 logs source.
Path expression for Security Hub logs (`Section7fSecurityHubBucketPathExpression`)	`securityhub/*`	Path expression must match the folder structure for Security Hub logs (e.g., securityhub/*).
Sumo Logic S3 logs source category name (`Section7gSecurityHubLogsSourceCategoryName`)	`aws/quickstart/securityhub/logs`	Required when flag is set to No. Provide an existing source category name from Sumo Logic collecting Security Hub logs. This is used for app installation.

Table 19. Sumo Logic AWS WAF app configuration
Parameter label (name)	Default value	Description
Install Sumo Logic AWS WAF app (`Section8aInstallWafApp`)	`Yes`	Choose No to skip installation of the app.
Create a delivery stream for bucket (`Section8bCreateDeliveryStream`)	`No`	Choose Yes to create a Kinesis delivery stream.

Table 20. AWS WAF S3 configuration
Parameter label (name)	Default value	Description
Create S3 bucket (`Section8cWafCreateBucket`)	`No`	Choose Yes to create an S3 bucket for AWS WAF logs.
WAF logs S3 bucket name (`Section8dWafLogsBucketName`)	`Blank string`	Required when flag is set to No. Provide an existing bucket name that has AWS WAF logs.

Table 21. Sumo Logic AWS WAF S3 source configuration
Parameter label (name)	Default value	Description
Create Sumo Logic S3 logs source (`Section8eWafCreateS3Source`)	`Yes`	Choose No to skip creation of a Sumo Logic S3 log source.
Path expression for WAF logs (`Section8fWafBucketPathExpression`)	`WAF_LOGS/*`	Path expression must match the folder structure for WAF logs (e.g., WAF_LOGS/*).
Sumo Logic S3 logs source category name (`Section8gWafLogsSourceCategoryName`)	`aws/quickstart/waf/logs`	Required when flag is set to No. Provide an existing source category name from Sumo Logic collecting WAF logs. This is used for app installation.

Table 22. Sumo Logic AWS Config app configuration
Parameter label (name)	Default value	Description
Install Sumo Logic AWS Config app (`Section9aInstallConfigApp`)	`Yes`	Choose No to skip installation of the app.

Table 23. AWS Config Configuration
Parameter label (name)	Default value	Description
Enable AWS Config for the Region (`Section9bConfigEnableConfig`)	`No`	Choose Yes to enable Config for the Region. Keep the default (No) if Config is already enabled.
Create SNS Topic for logs delivery (`Section9cConfigCreateSNSTopic`)	`No`	Choose Yes to create an SNS topic and attach it to AWS Config setting to deliver the logs. Keep the default (No) if Config logs are already delivered to an existing SNS topic.
Existing topic name where logs are delivered (`Section9dConfigExistingTopicName`)	`Blank string`	Required when flag is set to No. Provide an existing SNS topic from Config settings to stream configuration changes and notifications.

Table 24. Sumo Logic AWS Config HTTP logs source configuration
Parameter label (name)	Default value	Description
Create Sumo Logic HTTP logs source (`Section9eConfigCreateHttpLogsSource`)	`Yes`	Choose No to skip creation of a Sumo Logic HTTP log source to collect Config logs.
Sumo Logic Amazon HTTP logs source category name (`Section9fConfigHttpLogsSourceCategoryName`)	`aws/quickstart/config/logs`	Required when flag is set to No. Provide an existing source category name from Sumo Logic collecting Config logs. This is used for app installation.

Table 25. Auto-enable logging configuration
Parameter label (name)	Default value	Description
Choose resource to auto-enable S3 logging (`Section91aEnableAutoLogging`)	`Skip`	S3: Enable S3 Audit logging for new S3 buckets. VPC: Enable VPC flow logs for new VPC, subnets, and network interfaces. Firewall: Enable Network Firewall logs for new firewall.
Auto-enable logging for existing AWS resources (`Section91bEnableLoggingForExistingResources`)	`No`	Choose Yes to enable logging for existing AWS resources.

Table 26. S3 Audit logging of auto-enable configuration
Parameter label (name)	Default value	Description
Bucket prefix to store S3 Audit logs (`Section91cS3LoggingBucketPrefix`)	`S3_AUDIT_LOGS/`	Provide a prefix for the S3 bucket for S3 Audit logs. The prefix should have a slash (/) at the end.
Regex expression to filter S3 buckets (`Section91dS3LoggingFilterExpression`)	`Blank string`	Provide a regular expression for matching S3 buckets (e.g., 'test

Table 27. VPC flow logs auto-enable configuration
Parameter label (name)	Default value	Description
Bucket prefix to store VPC flow logs (`Section91eVPCLoggingBucketPrefix`)	`VPC_LOGS/`	Provide a prefix for the S3 bucket for VPC flow logs. The prefix should have a slash (/) at the end.
Regex expression to filter VPC resources (`Section91fVPCLoggingFilterExpression`)	`Blank string`	Provide a regular expression for matching VPC resources (e.g., 'VpcId': 't1.micro.?'\|'NetworkInterfaceId': 'Test.?']\|'SubnetId': 'prod.*?'\|test\|prod').

Table 28. Firewall logs auto-enable configuration
Parameter label (name)	Default value	Description
Regex expression to filter firewall resources (`Section91FireWallLoggingFilterExpression`)	`Blank string`	Provide a regular expression for matching firewall resources (e.g., 'FirewallName': 'firewall-example.*?').

Table 29. Network Firewall app configuration
Parameter label (name)	Default value	Description
Install Sumo Logic AWS Network Firewall App (`Section11InstallNFWApp`)	`Yes`	Choose No to skip installation of the app.

Table 30. Network Firewall configuration
Parameter label (name)	Default value	Description
Create a firewall (`Section11CreateNewFW`)	`No`	Choose Yes to create an AWS Network Firewall firewall.
VPC ID for a new firewall (`Section11VPCID`)	`Blank string`	Skip if No is selected. A VPC ID mapping to a new AWS Network Firewall firewall.
Subnet ID for new firewall (`Section11SubnetID`)	`Blank string`	Skip if No is selected. A subnet ID mapping to a new AWS Network Firewall firewall.
Create a firewall policy (`Section11CreateFirewallPolicy`)	`No`	Choose Yes to create a policy for the new firewall.
ARN of existing network policy (`Section11FirewallPolicyArn`)	`Blank string`	Skip if Yes is selected. Enter the ARN of the existing firewall policy.
Create a default stateful rule group for network policy (`Section11StatefulRule`)	`Blank string`	Skip if using an existing firewall policy. Enter a stateful rule. Example: pass tcp 10.20.20.0/24 45400:45500 <> 10.10.10.0/24 5203 (msg:"test";sid:1;rev:1;)
Create a default stateless rule group for network policy (`Section11StatelessRule`)	`80`	Skip if using an existing firewall policy. Enter an allowed port.

Table 31. Network Firewall S3 configuration
Parameter label (name)	Default value	Description
Create AWS S3 bucket (`Section11NFWCreateS3Bucket`)	`No`	Choose Yes to create an S3 bucket for Network Firewall logs.
AWS NFW logs S3 bucket name (`Section11NFWLogsS3BucketName`)	`Blank string`	Required when flag is set to No. Provide an existing bucket name that has NFW logs.
AWS NFW logs S3 bucket prefix (`Section11NFWLogsNFWBucketPrefix`)	`NFW/`	S3 key prefix for Network Firewall logs. Bucket prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).

Table 32. Network Firewall source configuration
Parameter label (name)	Default value	Description
Create Sumo Logic Amazon S3 logs source (`Section11NFWCreateS3Source`)	`Yes`	Choose No to skip creation of a Sumo Logic Amazon S3 log source.
Path expression for the logs (`Section11NFWS3BucketLogsPathExpression`)	`AWSLogs//network-firewall/*`	Path expression must match one or more S3 objects. For example, ABC*.log or ABC.log
Sumo Logic Amazon S3 logs source category name (`Section11NFWS3SourceCategoryName`)	`AWS/NFW/Flow/Logs`	Existing - Change to an existing source category from Sumo Logic if Amazon S3 source is not created. New - Default will be used if Amazon S3 source is created.

Table 33. AWS Quick Start configuration
Parameter label (name)	Default value	Description
Quick Start S3 bucket name (`QSS3BucketName`)	`aws-quickstart`	Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html.
Quick Start S3 bucket Region (`QSS3BucketRegion`)	`us-east-1`	AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.
Quick Start S3 key prefix (`QSS3KeyPrefix`)	`quickstart-sumo-logic-log-centralization/`	S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html.

Send us feedback

If you have feedback about this Quick Start, such as a feature idea or a bug you’ve found, email quickstart@amazon.com.

Quick Start reference deployments

See the AWS Quick Start home page.

Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.