What is an Elastic integration?

This integration is powered by Elastic Agent. Elastic Agent is a single, unified agent that you can deploy to hosts or containers to collect data and send it to the Elastic Stack. Behind the scenes, Elastic Agent runs the Beats shippers or Elastic Endpoint required for your configuration. Please refer to our documentation for a detailed comparison between Beats and Elastic Agent.

Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.

Overview

This integration is used to fetches logs and metrics from Amazon Web Services.

AWS Credentials

AWS credentials are required for running AWS integration.

Configuration parameters

  • access_key_id: first part of access key.
  • secret_access_key: second part of access key.
  • session_token: required when using temporary security credentials.
  • credential_profile_name: profile name in shared credentials file.
  • shared_credential_file: directory of the shared credentials file.
  • endpoint: URL of the entry point for an AWS web service.
  • role_arn: AWS IAM Role to assume.

Data stream specific configuration parameters

  • latency: Some AWS services send monitoring metrics to CloudWatch with a latency to process larger than Metricbeat collection period. This will cause data points missing or none get collected by Metricbeat. In this case, please specify a latency parameter so collection start time and end time will be shifted by the given latency amount.
  • period: How often the data stream is executed.
  • regions: Specify which AWS regions to query metrics from. If the regions is not set in the config, then by default, the integration will query metrics from all available AWS regions. If endpoint is specified, regions becomes a required config parameter.
  • tags_filter: Tag key value pairs from aws resources. A tag is a label that user assigns to an AWS resource.

Credential Types

There are three types of AWS credentials can be used: access keys, temporary security credentials and IAM role ARN.

Access keys

AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are the two parts of access keys. They are long-term credentials for an IAM user, or the AWS account root user. Please see AWS Access Keys and Secret Access Keys for more details.

Temporary security credentials

Temporary security credentials has a limited lifetime and consists of an access key ID, a secret access key, and a security token which typically returned from GetSessionToken. MFA-enabled IAM users would need to submit an MFA code while calling GetSessionToken. default_region identifies the AWS Region whose servers you want to send your first API request to by default. This is typically the Region closest to you, but it can be any Region. Please see Temporary Security Credentials for more details.

sts get-session-token AWS CLI can be used to generate temporary credentials. For example. with MFA-enabled:

aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456

Because temporary security credentials are short term, after they expire, the user needs to generate new ones and manually update the package configuration in order to continue collecting aws metrics. This will cause data loss if the configuration is not updated with new credentials before the old ones expire.

IAM role ARN

An IAM role is an IAM identity that you can create in your account that has specific permissions that determine what the identity can and cannot do in AWS. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate temporary credentials. Please see AssumeRole API documentation for more details.

Supported Formats

  1. Use access keys: Access keys include access_key_id, secret_access_key and/or session_token.
  2. Use role_arn: role_arn is used to specify which AWS IAM role to assume for generating temporary credentials. If role_arn is given, the package will check if access keys are given. If not, the package will check for credential profile name. If neither is given, default credential profile will be used. Please make sure credentials are given under either a credential profile or access keys.
  3. Use credential_profile_name and/or shared_credential_file: If access_key_id, secret_access_key and role_arn are all not given, then the package will check for credential_profile_name. If you use different credentials for different tools or applications, you can use profiles to configure multiple access keys in the same configuration file. If there is no credential_profile_name given, the default profile will be used. shared_credential_file is optional to specify the directory of your shared credentials file. If it's empty, the default directory will be used. In Windows, shared credentials file is at C:\Users\<yourUserName>\.aws\credentials. For Linux, macOS or Unix, the file locates at ~/.aws/credentials. Please see Create Shared Credentials File for more details.

AWS Permissions

Specific AWS permissions are required for the IAM user to make specific AWS API calls. In order to enable AWS integration to collect metrics and logs from all supported service, please make sure these permissions are given:

  • ec2:DescribeInstances
  • ec2:DescribeRegions
  • cloudwatch:GetMetricData
  • cloudwatch:ListMetrics
  • iam:ListAccountAliases
  • rds:DescribeDBInstances
  • rds:ListTagsForResource
  • s3:GetObject
  • sns:ListTopics
  • sqs:ChangeMessageVisibility
  • sqs:DeleteMessage
  • sqs:ListQueues
  • sqs:ReceiveMessage
  • sts:AssumeRole
  • sts:GetCallerIdentity
  • tag:GetResources

Changelog

VersionDetails
1.14.8
Bug fix View pull request
Fix http.response.status_code to accept 000
1.14.7
Bug fix View pull request
Fix aws.dimensions.* for rds data stream

Bug fix View pull request
Fix aws.dimensions.* for sns data stream

Bug fix View pull request
Add aws.dimensions.* for dynamodb data stream
1.14.6
Enhancement View pull request
Improve s3 integration tile title and description
1.14.5
Bug fix View pull request
Fix duplicate titles for integrations
1.14.4
Bug fix View pull request
Fix cloudfront integration grok pattern
1.14.3
Enhancement View pull request
Add new pattern to VPC Flow logs including all 29 v5 fields
1.14.2
Bug fix View pull request
Fix billing dashboard.
1.14.1
Enhancement View pull request
Add documentation for multi-fields
1.14.0
Enhancement View pull request
Add configuration for max_number_of_messages to the aws.firewall_logs S3 input.
1.13.1
Bug fix View pull request
Fix metricbeat- reference in dashboard
1.13.0
Enhancement View pull request
Compress dashboard screenshots.
1.12.1
Bug fix View pull request
Fix field mapping conflicts in the elb_logs data stream relating to ECS fields (trace.id, source.port, and a few others).
1.12.0
Enhancement View pull request
Add CloudFront Logs Datastream
1.11.4
Bug fix View pull request
Add Ingest Pipeline script to map IANA Protocol Numbers
1.11.3
Bug fix View pull request
Changing missing ecs versions to 8.0.0
1.11.2
Bug fix View pull request
Add data_stream.dataset option for custom aws-cloudwatch log input
1.11.1
Bug fix View pull request
Update permission list
1.11.0
Enhancement View pull request
Update to ECS 8.0
1.10.2
Enhancement View pull request
Change cloudwatch metrics and logs default to false
1.10.1
Enhancement View pull request
Add description of supported vpcflow formats
1.10.0
Enhancement View pull request
Add cloudwatch input into AWS package for log collection
1.9.0
Enhancement View pull request
Add Route 53 Resolver Logs Datastream
1.8.0
Enhancement View pull request
Add Route 53 Public Zone Logs Datastream
1.7.1
Bug fix View pull request
Regenerate test files using the new GeoIP database
1.7.0
Enhancement View pull request
Add integration for AWS Network Firewall
1.6.2
Bug fix View pull request
Change test public IPs to the supported subset
1.6.1
Enhancement View pull request
Fix the value of event.created in CloudTrail data stream.
1.6.0
Enhancement View pull request
Add max_number_of_messages config option to AWS S3 input config.
1.5.1
Enhancement View pull request
Add missing sample events
1.5.0
Enhancement View pull request
Support Kibana 8.0
1.4.1
Enhancement View pull request
Add Overview dashboard for AWS S3 Storage Lens
1.4.0
Enhancement View pull request
Add integration for AWS S3 Storage Lens
1.3.2
Enhancement View pull request
Uniform with guidelines
1.3.1
Enhancement View pull request
Add config parameter descriptions
1.3.0
Enhancement View pull request
Add WAF datastream
1.2.2
Bug fix View pull request
Prevent pipeline script error
1.2.1
Bug fix View pull request
Fix logic that checks for the 'forwarded' tag
1.2.0
Enhancement View pull request
Update to ECS 1.12.0
1.1.0
Enhancement View pull request
vpcflow sync with filebeat fileset
1.0.0
Enhancement View pull request
Release AWS as GA
0.10.7
Enhancement View pull request
Add proxy config
0.10.6
Bug fix View pull request
Fix aws.billing.EstimatedCharges field name
0.10.5
Bug fix View pull request
Add event.created field
0.10.4
Enhancement View pull request
Improve RDS dashboard
0.10.3
Enhancement View pull request
Convert to generated ECS fields
0.10.2
Enhancement View pull request
update to ECS 1.11.0
0.10.1
Enhancement View pull request
Escape special characters in docs
0.10.0
Enhancement View pull request
Update integration description
0.9.3
Bug fix View pull request
Fix categories for each policy template
0.9.2
Enhancement View pull request
Add linked account information into billing metricset
0.9.1
Bug fix View pull request
Fix aws.s3access pipeline when remote IP is a -
0.9.0
Enhancement View pull request
Change default credential options to access keys
0.8.0
Enhancement View pull request
Set "event.module" and "event.dataset"
0.7.0
Enhancement View pull request
Introduce granularity using input_groups
0.6.4
Enhancement View pull request
Add support for Splunk authorization tokens
0.6.3
Bug fix View pull request
Fix bug in Third Party ingest pipeline
0.6.2
Bug fix View pull request
Removed incorrect http.request.referrer field from elb logs
0.6.1
Enhancement View pull request
Add support for CloudTrail Digest & Insight logs
0.6.0
Enhancement View pull request
Update ECS version, add event.original and preparing for package GA
0.5.6
Bug fix View pull request
Fix stack compatability
0.5.5
Enhancement View pull request
Allow role_arn work with access keys for AWS
0.5.4
Enhancement View pull request
Rename s3 input to aws-s3.
0.5.3
Enhancement View pull request
Add missing "geo" fields
0.5.2
Enhancement View pull request
update to ECS 1.9.0
0.5.1
Bug fix View pull request
Ignore missing "json" field in ingest pipeline
0.5.0
Enhancement View pull request
Moving edge processors to ingest pipeline
0.4.2
Enhancement View pull request
Updating package owner
0.4.1
Bug fix View pull request
Correct sample event file.
0.4.0
Enhancement View pull request
Add changes to use ECS 1.8 fields.
0.0.3
Enhancement View pull request
initial release
Last updated: May 12th, 2022