Centralized Logging

  Amazon Web Services (AWS), Certified Solutions Architect Professional

Main Menu

Menu

  • Centralized Logging Architecture
  • Cross-Account Logging for CloudTrail and Config

Centralized Logging Architecture

https://www.udemy.com/aws-certified-solutions-architect-professional/learn/v4/t/lecture/13249226?start=0

Overview

A comprehensive long management and analysis strategy is mission criditcal in an organization.

It enable the organizations to understand the relationship between operational, security and change management events and maintain a comprehensive understanding of their infrastructure.

Logs from various services (CloudTrail, Config, VPC Flow Logs, etc.) can be forwarded to a specific S3 bucket then analyzed using 3rd party tools such as Splunk.

Considerations while implementing Logging

  • Define log retention requirements and lifecycle policies early on
    • Specifically important if you have compliance rules regarding these
  • Incorporate tools and features to automate the lifecycle policies
  • Automate the installation and configuration of log shipping agent
    • Consider EC2 instances launched with Auto Scaling.
    • Can be added as user data or at the AMI level
  • Make sure the solution supports hybrid environment to support the needs

AWS Services

Ways to configure centralized logging will be different for each AWS service (CloudTrail, Config, etc)

  • AWS ElasticSearch Service
  • AWS CloudWatch Logs
  • Kinesis Firehose
  • AWS S3

Implementation Overview

  • Use a centralized account for storing the logs.
  • Create a folder with each sub-account’s Account ID to store their logs.
    • Example: BucketName / AWSLogs / CloudTrail / AcctID / Region / ResourceId
  • Configure the logging service (CloudTrail, Config, etc.) to use the alt. storage service (ElasticSearch, S3, etc.) on the shared account
  • Configure the service on the shared account with the permissions to receive the logs.
    • Bucket Policies, etc.

Cross-Account Logging for CloudTrail and Config

https://www.udemy.com/aws-certified-solutions-architect-professional/learn/v4/t/lecture/13249266?start=0

Getting started with Logging

A comprehensive log management and analysis strategy is mission critical in an organization.

It enables the organization to understand the relationships between operational, security and change management events and maintain an understanding of their infrastructure.

Procedure

  • Setup an S3 bucket in the Centralized account for each service to log.
    • acctname-region-cloudtrail
      • Add the cloud trail bucket policy
        • Make sure you edit the default policy’s arn to match that of the current bucket (2 places)
          • Example:  “Resource”: “arn:aws:s3::acctname-region-cloudtrail”,
        • Under “Action”: “s3:PutObject”, add /* to the end of the ARN
          • Example: “Resource”: “arn:aws:s3::acctname-region-cloudtrail/*“,
        • Make sure the Principal Service is set for CloudTrail (2 places)
          • Example: “Principal”: { “Service”: “cloudtrail.amazonaws.com” },
        • [ Save ]
    • acctname-region-conrfig
      • Add the cloud trail bucket policy
        • Make sure you edit the default policy’s arn to match that of the current bucket (2 places)
          • Example:  “Resource”: “arn:aws:s3::acctname-region-config”,
        • Under “Action”: “s3:PutObject”, add /* to the end of the ARN
          • Example: “Resource”: “arn:aws:s3::acctname-region-config/*“,
        • Make sure the Principal Service is set for Config (2 places)
          • Example: “Principal”: { “Service”: “config.amazonaws.com” },
        • [ Save ]
  • Setup CloudTrail in the remote acct.
    • Services > CloudTrail > Trails > [ Create trail ]
      • Trail name:
      • Apply to all regions: yes or no
    • Storage location
      • Create a new S3 bucket: ( x ) No
      • S3 bucket: Use the corresponding S3 bucket’s name you created previously for the CloudTrail service.
    • [ Create ]
  • Setup Config in the remote account.
    • Service > Config > [ Get started ]
    • > Settings
      • Resource types to record
        • All resources: [ x ] Record all resources supported in this region
      • Amazon S3 bucket
        • ( x ) Choose a bucket from another account
      • Bucket name: Use the corresponding S3 bucket’s name you created previously for the Config service.
      • AWS Config role: ( x ) Use an existing AWS Config service-linked role
      • [ Next ]
    • > AWS Config Rules
      • [ Skip ]
    • > Review
      • [ Confirm ]
  • Confirm everything is setup correctly
    • In the Shared acct > S3 > config bucket you should see the following structure
      • /AWSLogs/ACCTNUMBER/Config/Config
        • WriteabilityCheckFile: verifies the bucket permissions are set correctly.  If this file doesn’t exist, the config account cannot write to the bucket.
    • Similar results for CloudTrail.  This will take longer to create and will not create the writeability check file.

 

 

LEAVE A COMMENT