IBM Support

QRadar: AWS Protocol using IAM role does not honor the region for the STS connectivity

Troubleshooting


Problem

Setting the local region in the protocol parameters, and selecting the 'Assume IAM role' in log source configuration as the event collector is an EC2 instance, it's not honoring the regional VPC STS endpoint.

Symptom

The protocol is selecting the generic sts.amazonaws.com instead of the local regional STS. This default behavior is resolving a public IP address and cannot be set. There is no public interface to the generic sts.amazonaws.com endpoint in a private closed environment.

Cause

Regardless of protocol parameters in the log source config, QRadar goes to the default endpoint, which is US Eastern. According to Amazon document (in AWS STS Regionalized endpoints), it is recommended to reach the regional end point not default.

Environment

Log Source Type: Amazon AWS CloudTrail
Protocol Type: Amazon Web Services

Diagnosing The Problem

Located in /var/log/qradar.error, you see an error related to the AWS Logs query:
com.q1labs.semsources.sources.amazonwebservices.api.threads.AWSCloudWatchThread: [ERROR] [NOT:0000003000][XXX.XXX.XXX.XXX/- -] [-/- -]An error was encounterd while executing AWSLogs query for [CloudWatch Logs - <region name>] and Log group: [ XXXXX ]
From the UI, in the protocol testing output, in the log source configuration, you see an error for connection timeout:
Testing access to Cloudwatch Log Group [XXXXX] :: Region [<region name>] - Failed
 - Error: Error performing test :: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/XXX.XXX.XXX.XXX] failed: connect timed out
 - Debug: com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/XXX.XXX.XXX.XXX] failed: connect timed out

Resolving The Problem

  1. Verify no existing AWS configuration:
    ls -l /root/.aws/config
    Note: if the configuration exists, back it up:
    cp -p /root/.aws/config /store/aws_config.backup
  2. Enable regional endpoints:
    mkdir -p /root/.aws/ && echo -e "[default]\nsts_regional_endpoints = regional" > /root/.aws/config
  3. During a maintenance schedule, restart Event Collection:
    systemctl restart ecs-ec-ingress
    Warning: Restarting ingress will impact event collection during the restart period. 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS013424688","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

Modified date:
16 January 2024

UID

ibm17107257