Collect AWS IAM logs
Parser Version:1.0
This document explains how to ingest AWS Identity and Access Management (IAM) configuration data to Google Security Operations using the Third Party API feed.
The AWS IAM parser transforms the IAM entity data (users, groups, roles, and policies) into the structured Unified Data Model (UDM), extracting fields like user details, role information, permissions, and timestamps for consistent security analysis.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Privileged access to AWS Console
- Permissions to create IAM users and policies
Get Google SecOps IP ranges
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- Make a note of the IP ranges displayed at the top of the page.
- Alternatively, retrieve IP ranges programmatically using the Feed Management API .
Create an IAM user with required permissions
CRITICAL:To allow Google SecOps to retrieve AWS IAM data using the API, you must create an IAM user with appropriate read permissions.
Option A: Use an AWS managed policy (Recommended)
- Create a Userfollowing the instructions in this guide: Creating an IAM user .
- Select the created User.
- Select the Security credentialstab.
- Click Create Access Keyin the Access Keyssection.
- Select Third-party serviceas Use case.
- Click Next.
- Optional: Add a description tag.
- Click Create access key.
- Click Download .csv fileto save the Access Key IDand Secret Access Keyfor future reference.
- Click Done.
- Select the Permissionstab.
- Click Add permissionsin the Permissions policiessection.
- Select Add permissions.
- Select Attach policies directly.
- Search for IAMReadOnlyAccess(AWS managed policy).
- Select the policy.
- Click Next.
- Click Add permissions.
Important:The IAMReadOnlyAccesspolicy includes all required permissions:
-
iam:GetUser -
iam:ListUsers -
iam:GetGroup -
iam:ListGroups -
iam:GetPolicy -
iam:ListPolicies -
iam:GetRole -
iam:ListRoles -
iam:ListAttachedUserPolicies -
iam:ListAttachedGroupPolicies -
iam:ListAttachedRolePolicies -
iam:GetAccountSummary
Option B: Create a custom policy (least privilege)
If your security policy requires minimal permissions instead of the managed policy:
- In the AWS console, go to IAM > Policies > Create policy > JSON tab.
-
Paste the following policy:
{ "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "Action" : [ "iam:GetUser" , "iam:ListUsers" , "iam:GetGroup" , "iam:ListGroups" , "iam:GetPolicy" , "iam:ListPolicies" , "iam:GetRole" , "iam:ListRoles" , "iam:ListAttachedUserPolicies" , "iam:ListAttachedGroupPolicies" , "iam:ListAttachedRolePolicies" , "iam:GetAccountSummary" ], "Resource" : "*" } ] } -
Click Next.
-
Name the policy
chronicle-iam-api-read-policy. -
Click Create policy.
-
Create a Userfollowing the instructions in this guide: Creating an IAM user .
-
Select the created User.
-
Select the Security credentialstab.
-
Click Create Access Keyin the Access Keyssection.
-
Select Third-party serviceas Use case.
-
Click Next.
- Optional: Add a description tag.
-
Click Create access key.
-
Click Download .csv fileto save the Access Key IDand Secret Access Keyfor future reference.
-
Click Done.
-
Select the Permissionstab.
-
Click Add permissionsin the Permissions policiessection.
-
Select Add permissions.
-
Select Attach policies directly.
-
Search for and select
chronicle-iam-api-read-policy. -
Click Next.
-
Click Add permissions.
Configure a feed in Google SecOps to ingest IAM configuration data
The AWS IAM feed collects one IAM entity list per feed, selected by the API typefield ( Users, Roles, or Groups). To collect all IAM entities, create one feed for each API type, all using the AWS IAMlog type.
Using the Content Hub (recommended)
- Go to Content Hub > Content Packs > Get Started.
- Click the Amazon Cloud Platformpack.
- Find the AWS IAMlog type in the list.
- Select Third party APIfrom the Source Typedrop-down.
- Provide the following configuration details:
- Username: The Access Key ID from the IAM user created earlier.
- Secret: The Secret Access Key from the IAM user created earlier.
- API type: Select the IAM entity list to collect: Users, Roles, or Groups.
- Feed Name: A prepopulated value that identifies the feed (for example,
AWS IAM Users). - Asset Namespace: Namespace associated with the feed.
- Ingestion Labels: Labels applied to all events from this feed.
- Click Create feed.
For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .
Using SIEM settings
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed namefield, enter a name for the feed (for example,
AWS IAM API Configuration). - Select Third party APIas the Source type.
- Select AWS IAMas the Log type.
- Click Next.
- Specify values for the following input parameters:
- Username: The Access Key ID from the IAM user created earlier.
- Secret: The Secret Access Key from the IAM user created earlier.
- API type: Select the IAM entity list to collect: Users, Roles, or Groups.
- Asset namespace: The asset namespace .
- Ingestion labels: The label to be applied to the events from this feed.
- Click Next.
- Review your new feed configuration in the Finalizescreen, and then click Submit.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
Group.CreateDate
|
entity.group.attribute.creation_time
|
Parsed as ISO8601
|
Group.Path
|
entity.group.attribute.labels.value
|
Directly mapped |
IsTruncated
|
entity.group.attribute.labels.value
|
Directly mapped |
Marker
|
entity.group.attribute.labels.value
|
Directly mapped |
Group.GroupName
|
entity.group.email_addresses
|
Merged |
Group.GroupName
|
entity.group.group_display_name
|
Directly mapped |
Group.GroupID
|
entity.group.product_object_id
|
Directly mapped |
RoleLastUsed.Region
|
entity.location.name
|
Directly mapped |
CreateDate
|
entity.resource.attribute.creation_time
|
Parsed as ISO8601
|
MaxSessionDuration
|
entity.resource.attribute.labels.value
|
Directly mapped |
Path
|
entity.resource.attribute.labels.value
|
Directly mapped |
RoleLastUsed.LastUsedDate
|
entity.resource.attribute.labels.value
|
Directly mapped |
AssumeRolePolicyDocument
|
entity.resource.attribute.permissions.name
|
Directly mapped |
Description
|
entity.resource.attribute.roles.description
|
Directly mapped |
RoleName
|
entity.resource.attribute.roles.name
|
Directly mapped |
Arn
|
entity.resource.name
|
Directly mapped |
Group.Arn
|
entity.resource.name
|
Directly mapped |
RoleID
|
entity.resource.product_object_id
|
Directly mapped |
CreateDate
|
entity.user.attribute.creation_time
|
Parsed as ISO8601
|
PasswordLastUsed
|
entity.user.last_login_time
|
Parsed as ISO8601
|
UserID
|
entity.user.product_object_id
|
Directly mapped |
UserName
|
entity.user.userid
|
Directly mapped |
PermissionsBoundary.PermissionsBoundaryArn
|
relations.entity.resource.attribute.labels.value
|
Directly mapped |
PermissionsBoundary.PermissionsBoundaryType
|
relations.entity.resource.attribute.labels.value
|
Directly mapped |
user.PermissionsBoundary.PermissionsBoundaryArn
|
relations.entity.resource.attribute.labels.value
|
Directly mapped |
user.PermissionsBoundary.PermissionsBoundaryType
|
relations.entity.resource.attribute.labels.value
|
Directly mapped |
user.Arn
|
relations.entity.resource.name
|
Directly mapped |
user.CreateDate
|
relations.entity.user.attribute.creation_time
|
Parsed as ISO8601
|
tag.Key
|
relations.entity.user.attribute.labels.key
|
Directly mapped |
Path
|
relations.entity.user.attribute.labels.value
|
Directly mapped |
tag.Value
|
relations.entity.user.attribute.labels.value
|
Directly mapped |
user.Path
|
relations.entity.user.attribute.labels.value
|
Directly mapped |
user.PasswordLastUsed
|
relations.entity.user.last_login_time
|
Parsed as ISO8601
|
user.UserID
|
relations.entity.user.product_object_id
|
Directly mapped |
user.UserName
|
relations.entity.user.userid
|
Directly mapped |
|
N/A
|
entity.group.attribute.labels.key
|
Constant: is_truncated
|
|
N/A
|
entity.resource.attribute.cloud.environment
|
Constant: AMAZON_WEB_SERVICES
|
|
N/A
|
entity.resource.attribute.labels.key
|
Constant: max_session_duration
|
|
N/A
|
entity.resource.resource_subtype
|
Constant: User
|
|
N/A
|
entity.resource.resource_type
|
Constant: ACCESS_POLICY
|
|
N/A
|
metadata.entity_type
|
Constant: USER
|
|
N/A
|
metadata.product_name
|
Constant: AWS IAM
|
|
N/A
|
metadata.vendor_name
|
Constant: AWS
|
|
N/A
|
relations.direction
|
Constant: UNIDIRECTIONAL
|
|
N/A
|
relations.entity.resource.attribute.labels.key
|
Constant: permissions_boundary_arn
|
|
N/A
|
relations.entity.resource.resource_subtype
|
Constant: User
|
|
N/A
|
relations.entity.user.attribute.labels.key
|
Constant: path
|
|
N/A
|
relations.entity_type
|
Constant: USER
|
|
N/A
|
relations.relationship
|
Constant: MEMBER
|
Change Log
View the Change Log for this parser
Need more help? Get answers from Community members and Google SecOps professionals.

