AWS Security Monitoring

Monitoring your AWS logs is essential for maintaining the security and integrity of your AWS environment. AWS logs contain a wealth of information about user activity, system events, and application performance that can help you identify and address potential security issues, and compliance violations.

Through our cloud-native managed SIEM, we can monitor and analyze your AWS CloudTrail events, S3 Server access Logs, VPC flows, and many other services. Our analysts will monitor and investigate security events such as unauthorized access, failed logins, and suspicious network activity, allowing you to respond to potential security incidents quickly.

The FoxTech SIEM collects these from an S3 bucket within your AWS account, using IAM credentials for most AWS services. By default, we will delete logs delivered to S3 once they have been collected.

AWS SIEM Integration

The high-level steps for enabling us to ingest your AWS logs are:

  1. Create an S3 bucket in which to store logs
  2. Enable logging to S3 in the desired services. Set the S3 bucket prefix to the name of the S3 service as shown below.
  3. Create an IAM user called “foxtech-soc” or similar, with permission to read and delete files from the S3 bucket.
  4. Provide us with:
    a. AWS Access Key ID
    b. AWS Secret Access Key
    c. S3 Bucket Name
    d. Services being logged (from below)

AWS Services using Logging to S3 Service & S3 Bucket prefix to use

How to enable logging to S3









The following services use different Mechanisms.

Cloudwatch Logs
Our SIEM will fetch the log groups you specify directly through the AWS APIs. Please:

  1. Create an IAM account through which to fetch the logs
  2. Grant the IAM account permissions to read the chosen CloudWatch log groups
  3. Provide FoxTech with the list of log groups to be fetched. By default we’ll fetch that log group from all regions.


Generally, we recommend enabling at a minimum CloudTrail and S3 Server Access Logs and VPC flow logs.