reference deployment

Sumo Logic Security Integrations on AWS

Automatically collect security events from AWS security services

This Quick Start automatically deploys Sumo Logic Security Integrations on the Amazon Web Services (AWS) Cloud. It's for people who want to configure Sumo Logic for 12 AWS services that provide security analytics for a single AWS account.

If you want to provide security analytics across multiple AWS accounts, see this Quick Start: Sumo Logic Security Integrations for AWS Organizations.

Sumo Logic is focused on continuous intelligence, a category of software that addresses data challenges presented by digital transformations, modern applications, and cloud computing. The Sumo Logic Continuous Intelligence Platform automates the collection, ingestion, and analysis of applications, infrastructure, security, and Internet of Things (IoT) data to derive actionable insights.

This Quick Start uses Sumo Logic Cloud SIEM (security information and incident management) powered by AWS. Sumo Logic Cloud SIEM uses apps to collect security events generated by AWS and other security services to provide an aggregate view of overall security and compliance posture.

Deploying this Quick Start does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.

portworx logo

This Quick Start was developed by Sumo Logic in collaboration with AWS. Sumo Logic is an AWS Partner.

  •  What you'll build
  • This Quick Start sets up the following serverless architecture in a specific AWS account and Region in the AWS Cloud:

    • Amazon GuardDuty to detect malicious activity and behavior to protect AWS accounts and workloads.
    • Amazon Virtual Private Cloud (Amazon VPC) flow logs to capture information about IP traffic going to and from network interfaces.
    • Amazon CloudWatch to relay the Amazon VPC flow logs to the AWS Lambda functions.
    • AWS Security Hub to assess security alerts and security posture across AWS accounts. Security Hub relays security events to Amazon CloudWatch.
    • AWS WAF to protect your web applications from common web exploits.
    • AWS Config to record and evaluate configurations of your AWS resources.
    • AWS CloudTrail to track user activity and API (application programming interface) usage.
    • AWS Network Firewall to deploy essential network protections for all your Amazon virtual private clouds (VPCs).
    • Amazon Kinesis Data Firehose delivery streams to transfer logs from AWS WAF to the Amazon Simple Storage Service (Amazon S3) bucket.
    • Lambda integration functions to create a collector and multiple sources and to install apps on your Sumo Logic account.
    • An Amazon S3 bucket to capture logs from the various AWS services.
    • Amazon Simple Notification Service (Amazon SNS) to send alerts when a new object is saved to an S3 bucket.
    • The Sumo Logic collector and sources to receive logs from the S3 bucket.
  •  How to deploy
  • To deploy Sumo Logic Security Integrations on AWS, follow the instructions in the deployment guide. The deployment process takes about 10 minutes and includes these steps:

    1. Prepare your Sumo Logic account. If you don’t have a Sumo Logic enterprise account, create one at
    2. Sign in to your AWS account. If you don’t have an AWS account, sign up at
    3. Launch the Quick Start.
    4. Test the deployment.
    5. Complete the postdeployment steps.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start. For Sumo Logic pricing information, see the Sumo Logic website.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?