Route 53 resolver query logging is configured on a VPC-by-VPC basis by which you must:
- Create or use an existing S3 bucket to store the logs
- Enable Route 53 resolver query logging to the S3 bucket
- Adjust the S3 bucket policy to provide AlphaSOC access to the logs
- Create an SNS topic to notify when new logs are written to the S3 bucket
- Add a subscription under the SNS topic to send notifications to AlphaSOC
Please refer to the Amazon AWS documentation for the infrastructure configuration steps (1, 2, 4) above. The particular AlphaSOC steps (3, 5) to provide access to the S3 bucket and SNS topic are described below.
Note: The origin VPC, S3 bucket, and SNS topic must operate within the same AWS region. Customers with multi-region configurations will have to duplicate the configuration to log the content within each region and provide access to AlphaSOC, or move the logs to a centralized S3 bucket for use.
S3 Bucket Policy
To provide AlphaSOC access to the S3 bucket created or selected during step 1, please set the following policy, and replace
DOC-EXAMPLE-BUCKET with the name of the bucket. The policy for an S3 bucket can be set via the Amazon S3 console.
"Sid": "AlphaSOC access",
SNS Topic Subscription
To notify AlphaSOC of new log files written to the S3 bucket you must add the following subscription to the SNS topic that you had created during step 4. The subscription for an SNS topic can be set via the Amazon SNS console, as below.
The URL format is as follows, where
DOC-EXAMPLE-TOKEN is a value generated on the AlphaSOC side.
The URL including the
DOC-EXAMPLE-TOKEN value for your account can be found within the AlphaSOC console under the Credentials tab, as below. You can copy and paste this value over to the Amazon SNS console to configure the subscription.