Configuring an Amazon AWS Route 53 log source by using an S3 bucket with a directory prefix

You can collect AWS Route 53 Resolver query logs from a single account and region in an Amazon S3 bucket. Add a log source on the QRadar® Console so that Amazon AWS Route 53 can communicate with QRadar by using the Amazon AWS S3 REST API protocol with a directory prefix.

Before you begin

If you have log sources in an S3 bucket from multiple regions or you are using multiple accounts, use the Configuring an Amazon AWS Route 53 log source that uses an S3 bucket with an SQS queue procedure.

About this task

A log source that uses directory prefix can retrieve data from only one region and one account. Use a different log source for each region and account. Include the region folder name in the file path for the Directory Prefix parameter value when you configure the log source.

Procedure

  1. Configure Resolver query logging. When you configure the Query logs destination parameter, select S3 bucket for the value.
  2. Find an S3 bucket name and directory prefix for Amazon AWS Route 53.
  3. Create an Amazon AWS Identity and Access Management (IAM) user and then apply the AmazonS3ReadOnlyAccess policy.
  4. Configure the security credentials for you AWS user account.
  5. Amazon AWS S3 REST API log source parameters for Amazon AWS Route 53 when using a directory prefix.