Using Amazon SQS with Google Security Operations

Jamf Protect Documentation

Solution

Application

Content Type

Technical Documentation

Utilities & Services

ft:locale

en-US

Jamf Protect's data compatibility with Amazon S3 buckets allows you to stream Amazon Simple Queue Service (SQS) notifications to Google Security Operations (formerly Google Chronicle). Amazon SQS provides data forwarding that Google Security Operations can more rapidly process during peak demand.

Requirements

A Google Security Operations instance
An Amazon S3 bucket for macOS Security data
An Amazon SQS instance and subscription
An IAM user with associated AWS access keys and secret keys. This user must have access to and permissions for Amazon SQS

Using the Amazon SQS console, create a queue.
For more information, see Getting started with Amazon SQS in the Amazon Simple Queue Service Developer Guide for more information.

Replace the access policy attached to the queue with the following policy.

In the Amazon SQS console, in the Queues list, select the queue name.
On the Access policy tab, select Edit.

Replace the access policy attached to the queue. In the policy, provide your Amazon SQS ARN, source bucket name, and bucket owner account ID.

{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "example-statement-ID",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "SQS:SendMessage"
            ],
            "Resource": "SQS-queue-ARN",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:*:*:awsexamplebucket1"
                },
                "StringEquals": {
                    "aws:SourceAccount": "bucket-owner-account-id"
                }
            }
        }
    ]
}

Click Save.

If the Amazon SQS queue or the Amazon SNS topic is server-side encryption enabled with AWS Key Management Service (AWS KMS), add the following policy to the associated symmetric encryption customer-managed key.
You must add the policy to a customer-managed key because you cannot modify the AWS-managed key for Amazon SQS or Amazon SNS.
```
{
    "Version": "2012-10-17",
    "Id": "example-ID",
    "Statement": [
        {
            "Sid": "example-statement-ID",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "*"
        }
    ]
}
```
For more information about using SSE for Amazon SQS and Amazon SNS with AWS KMS, see the following:
- Managing Amazon SNS encryption keys and costs in the Amazon Simple Notification Service Developer Guide.
- Amazon SQS Key management in the Amazon Simple Queue Service Developer Guide.
Note the queue Amazon Resource Name (ARN).

The SQS queue that you created is another resource in your AWS account. It has a unique ARN. You need this ARN in the next step. The ARN is of the following format:

arn:aws:sqs:aws-region:account-id:queue-name