Skip to main content
The AWS integration enables comprehensive monitoring of security events from your Amazon Web Services infrastructure. Events are collected directly via AWS API and displayed in the Wazuh Dashboard.

Overview

The AWS integration monitors security events from various AWS services including CloudTrail, S3, VPC Flow Logs, GuardDuty, and more. All events are tagged with wazuh.integration.name: aws for easy filtering and analysis. Reference: plugins/main/common/wazuh-modules.ts:79

Supported AWS Services

The integration collects events from:
  • CloudTrail - API activity and governance logs
  • S3 - Storage bucket access and operations
  • VPC Flow Logs - Network traffic monitoring
  • GuardDuty - Threat detection service events
  • CloudWatch - Monitoring and logging events
  • IAM - Identity and access management activities
  • EC2 - Compute instance events
  • Config - Resource configuration tracking
  • WAF - Web Application Firewall logs
  • Inspector - Security assessment findings
  • Macie - Data security and privacy events

Key Features

  • Real-time security event collection via AWS API
  • Multi-account monitoring support
  • Multi-region event aggregation
  • S3 bucket-based log ingestion
  • Automatic event parsing and enrichment
  • Pre-built dashboards and visualizations

Data Source Configuration

The AWS data source uses the following configuration: 
const AWS_GROUP_KEY = 'wazuh.integration.name';
const AWS_GROUP_VALUE = 'aws';
Reference: plugins/main/public/components/common/data-source/pattern/events/aws/aws-data-source.ts:5

Event Fields

AWS events include the following key fields:
  • data.aws.source - AWS service source (CloudTrail, S3, etc.)
  • data.aws.accountId - AWS account identifier
  • data.aws.region - AWS region where event occurred
  • data.aws.log_info.s3bucket - S3 bucket containing logs
Reference: plugins/main/public/components/overview/amazon-web-services/dashboards/dashboard_panels.ts:54

Setup and Configuration

Prerequisites

  • AWS account with appropriate permissions
  • Wazuh manager with AWS module enabled
  • API credentials (Access Key ID and Secret Access Key)
  • S3 buckets configured for log storage (optional)

Configuration Steps

  1. Create IAM User
    • Create a dedicated IAM user for Wazuh integration
    • Attach appropriate policies for log access
    • Generate access keys
  2. Configure Required Permissions 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "cloudtrail:LookupEvents",
        "cloudtrail:GetTrailStatus",
        "guardduty:ListDetectors",
        "guardduty:GetFindings",
        "guardduty:ListFindings"
      ],
      "Resource": "*"
    }
  ]
}
  3. Configure Wazuh Manager
    • Edit /var/ossec/etc/ossec.conf
    • Add AWS module configuration
    • Specify credentials and services to monitor
  4. Enable AWS Integration 
    <wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="cloudtrail">
    <name>your-cloudtrail-bucket</name>
    <access_key>YOUR_ACCESS_KEY</access_key>
    <secret_key>YOUR_SECRET_KEY</secret_key>
  </bucket>
</wodle>
  5. Verify Configuration
    • Restart Wazuh manager
    • Check logs for successful connection
    • Verify events appear in dashboard

Dashboard Visualizations

The AWS integration includes pre-built visualizations:

Overview Dashboard

  • Sources - Pie chart showing top AWS services generating events
  • Accounts - Distribution of events across AWS accounts
  • Buckets - Top S3 buckets by event volume
  • Regions - Geographic distribution of AWS events
  • Events Over Time - Timeline of AWS security events
References:
  • plugins/main/public/components/overview/amazon-web-services/dashboards/dashboard_panels.ts:8
  • plugins/main/public/components/overview/amazon-web-services/dashboards/dashboard_panels.ts:69
  • plugins/main/public/components/overview/amazon-web-services/dashboards/dashboard_panels.ts:132

Filtering Events

All AWS events can be filtered using: 
wazuh.integration.name: "aws"
Additional filters:
  • By service: data.aws.source: "cloudtrail"
  • By account: data.aws.accountId: "123456789012"
  • By region: data.aws.region: "us-east-1"
  • By S3 bucket: data.aws.log_info.s3bucket: "my-logs-bucket"

Use Cases

Security Monitoring

  • Track unauthorized API calls
  • Monitor privilege escalation attempts
  • Detect suspicious IAM activities
  • Identify unusual data access patterns

Compliance Auditing

  • PCI DSS compliance monitoring
  • HIPAA audit trail verification
  • GDPR data access logging
  • SOC 2 access control validation

Threat Detection

  • GuardDuty findings analysis
  • Anomalous network traffic detection
  • Malicious IP address identification
  • Cryptocurrency mining detection

Operational Monitoring

  • Resource provisioning tracking
  • Configuration change detection
  • Service availability monitoring
  • Cost optimization insights

Troubleshooting

No Events Appearing

  • Verify AWS credentials are correct
  • Check IAM permissions are sufficient
  • Ensure AWS module is enabled in Wazuh
  • Verify S3 bucket names and paths
  • Check network connectivity to AWS API

Missing Events from Specific Services

  • Confirm service logging is enabled in AWS
  • Verify logs are being written to S3
  • Check CloudTrail configuration
  • Ensure service is supported by integration

Performance Issues

  • Adjust polling intervals
  • Configure specific services instead of all services
  • Use S3-based log collection for high volume
  • Implement log filtering at source

Security Best Practices

  1. Use Least Privilege - Grant only necessary permissions
  2. Rotate Credentials - Regularly rotate access keys
  3. Enable MFA - Require multi-factor authentication
  4. Monitor the Monitor - Track integration access patterns
  5. Encrypt Credentials - Store credentials securely
  6. Use IAM Roles - Prefer roles over static credentials when possible

Build docs developers (and LLMs) love

Get started for freeTalk to us