Skip to main content
Sumo Logic

Collect Data for the Amazon Inspector App

This page provides instructions for configuring data collection for the Amazon Inspector App.

Step 1: Configure Collection in Sumo Logic

To collect data for the Amazon Inspector App, do the following:

  1. Configure a Hosted Collector.
  2. Configure an HTTP Source.

Step 2: Configure Amazon Inspector

On Amazon Inspector, perform these tasks under the same AWS region:

  1. Create an Amazon SNS topic to receive assessment template events.
  2. Configure the Amazon Inspector to send findings to the SNS topic.
  3. Create an appropriate role to execute a Lambda function and read Inspector data.
  4. Set up a Lambda function to fetch data and send to the Sumo Logic HTTP Source endpoint.

Details are provided in the following sections. 

Step 3: Create an Amazon SNS Topic

  1. Log in to the Amazon Console.
  2. Click Services. In the dropdown go to Application Integration > Simple Notification Service (SNS).
    Step3_1.png
  3. On the SNS Dashboard, select  Topics on the left side.
    Step3_2.png
  4. A new window opens, select Create topic button.
  5. In the new window, enter the following details:
    • Name: Enter a topic name.
    • Access Policy: Select Advance.
    • JSON Editor: Replace the existing text with the following.

{"Version": "2008-10-17",
 "Id": "inspector-sns-publish-policy",
 "Statement": [
   {
     "Sid": "inspector-sns-publish-statement",
     "Effect": "Allow",
     "Principal": {
       "Service": "inspector.amazonaws.com"
     },
     "Action": "SNS:Publish",
     "Resource": "arn:aws:sns:*"
   }
 ]
}

Step3_3.png

  1. Click Create Topic button.

Step 4: Configure Amazon Inspector

  1. In the Amazon Console, click Services. In the opened dropdown, go to Security, Identity & Compliance > Inspector.
  2. Select assessment templates on the left side.
    Step4_2.png
  3. A new window opens, select each assessment template you want to monitor.
  4. Expand each row and find the section called SNS topics.
  5. Click the Edit icon and select the SNS topic you created in the previous section.
  6. Click Save.

Step 5: Create a Role

  1. In the Amazon Console, click Services. In the opened dropdown, go to Security, Identity & Compliance > IAM.
  2. Select Roles on the left side. A new window open, click the Create role button.
    Step5_1.png
  3. Select Lambda and then click Next: Permissions button.
    Step5_2.png
     
  4. In the Attach permissions policy section, search and select AWSLambdaBasicExecutionRole and AmazonInspectorReadOnlyAccess policies.
  5. Select Next: Tags button.
    Step5_3.png
  6. Select Next: Review button.
  7. In the Review section, Enter the role name Lambda-Inspector and click the Create role button.
    Step5_4.png

Step 6: Create a Lambda Function

  1. In the Amazon Console, click Services. In the opened dropdown, go to Compute > Lambda.
  2. Click Create function button.
  3. In the Author from Scratch section:
    • Function name: Enter function name.
    • Runtime: Select the Python 2.7 runtime.
    • Choose or create an execution role: Select Use an existing role radio button. Select the role created in Step 5.
  4. Click Create function button.
    Step6_1.png
  5. Click the Add trigger button.
    • Select SNS Service.
    • Select the SNS topic you created in create an Amazon SNS Topic as trigger.
  6. Click the Add button.
    Step6_2.png
  7. Click the Function name and go to the Function code section.
  8. Go to https://raw.githubusercontent.com/SumoLogic/sumologic-aws-lambda/master/inspector/python/inspector.py and copy-paste the code in the editor.
  9. Edit the code to enter the URL of the Sumo Logic endpoint ( line 14) that will receive data from the HTTP Source. 

  10. Click Save at the top.
    Step6_3.png

  11. Scroll down and go to Edit basic settings and configure the rest of the settings as follows:

    • Handler: lambda_function.sumo_inspector_handler 

    • Memory (MB): 128

    • Timeout: 10 minutes 
      Step6_4.png

  12. Click Save.

Sample Log

Amazon Inspector CreateResourceGroup action:


    {
    "eventVersion": "1.03",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AIDACKCEVSQ6C2EXAMPLE",
        "arn": "arn:aws:iam::444455556666:user/Alice",
        "accountId": "444455556666",
        "accessKeyId": "AKIAI44QH8DHBEXAMPLE",
        "sessionContext": {
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2016-04-14T17:05:54Z"
            },
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AIDACKCEVSQ6C2EXAMPLE",
                "arn": "arn:aws:iam::444455556666:user/Alice",
                "accountId": "444455556666",
                "userName": "Alice"
            }
        }
    },
    "eventTime": "2016-04-14T17:12:34Z",
    "eventSource": "inspector.amazonaws.com",
    "eventName": "CreateResourceGroup",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "205.251.233.179",
    "userAgent": "console.amazonaws.com",
    "requestParameters": {
        "resourceGroupTags": [
            {
                "key": "Name",
                "value": "ExampleEC2Instance"
            }
        ]
    },
    "responseElements": {
        "resourceGroupArn": "arn:aws:inspector:us-west-2:444455556666:resourcegroup/0-oclRMp8B"
    },
    "requestID": "148256d2-0264-11e6-a9b5-b98a7d3b840f",
    "eventID": "e5ea533e-eede-46cc-94f6-0d08e6306ff0",
    "eventType": "AwsApiCall",
    "apiVersion": "v20160216",
    "recipientAccountId": "444455556666"
}