{"id":1662,"date":"2019-01-28T10:50:34","date_gmt":"2019-01-28T10:50:34","guid":{"rendered":"http:\/\/wiki.thomasandsofia.com\/?p=1662"},"modified":"2019-01-29T11:55:47","modified_gmt":"2019-01-29T11:55:47","slug":"centralized-logging","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=1662","title":{"rendered":"Centralized Logging"},"content":{"rendered":"<p><a href=\"http:\/\/wiki.thomasandsofia.com\/2018\/08\/20\/aws-certified-solutions-architect-professional-overview\/\">Main Menu<\/a><\/p>\n<h1>Menu<\/h1>\n<ul>\n<li>Centralized Logging Architecture<\/li>\n<li>Cross-Account Logging for CloudTrail and Config<\/li>\n<\/ul>\n<h1>Centralized Logging Architecture<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249226?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249226?start=0<\/a><\/p>\n<h2>Overview<\/h2>\n<p>A comprehensive long management and analysis strategy is mission criditcal in an organization.<\/p>\n<p>It enable the organizations to understand the relationship between operational, security and change management events and maintain a comprehensive understanding of their infrastructure.<\/p>\n<p>Logs from various services (CloudTrail, Config, VPC Flow Logs, etc.) can be forwarded to a specific S3 bucket then analyzed using 3rd party tools such as Splunk.<\/p>\n<h2>Considerations while implementing Logging<\/h2>\n<ul>\n<li>Define log retention requirements and lifecycle policies early on\n<ul>\n<li>Specifically important if you have compliance rules regarding these<\/li>\n<\/ul>\n<\/li>\n<li>Incorporate tools and features to automate the lifecycle policies<\/li>\n<li>Automate the installation and configuration of <strong>log shipping agent<\/strong>\n<ul>\n<li>Consider EC2 instances launched with Auto Scaling.<\/li>\n<li>Can be added as user data or at the AMI level<\/li>\n<\/ul>\n<\/li>\n<li>Make sure the solution supports hybrid environment to support the needs<\/li>\n<\/ul>\n<h2>AWS Services<\/h2>\n<p>Ways to configure centralized logging will be different for each AWS service (CloudTrail, Config, etc)<\/p>\n<ul>\n<li>AWS ElasticSearch Service<\/li>\n<li>AWS CloudWatch Logs<\/li>\n<li>Kinesis Firehose<\/li>\n<li>AWS S3<\/li>\n<\/ul>\n<h2>Implementation Overview<\/h2>\n<ul>\n<li>Use a centralized account for storing the logs.<\/li>\n<li>Create a folder with each sub-account&#8217;s Account ID to store their logs.\n<ul>\n<li>Example: BucketName \/ AWSLogs \/ CloudTrail \/ AcctID \/ Region \/ ResourceId<\/li>\n<\/ul>\n<\/li>\n<li>Configure the logging service (CloudTrail, Config, etc.) to use the alt. storage service (ElasticSearch, S3, etc.) on the shared account<\/li>\n<li>Configure the service on the shared account with the permissions to receive the logs.\n<ul>\n<li>Bucket Policies, etc.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Cross-Account Logging for CloudTrail and Config<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249266?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249266?start=0<\/a><\/p>\n<h2>Getting started with Logging<\/h2>\n<p>A comprehensive log management and analysis strategy is mission critical in an organization.<\/p>\n<p>It enables the organization to understand the relationships between operational, security and change management events and maintain an understanding of their infrastructure.<\/p>\n<h2>Procedure<\/h2>\n<ul>\n<li>Setup an S3 bucket in the Centralized account for each service to log.\n<ul>\n<li>acctname-region-cloudtrail\n<ul>\n<li>Add the cloud trail bucket policy\n<ul>\n<li>Make sure you edit the default policy&#8217;s arn to match that of the current bucket (2 places)\n<ul>\n<li>Example:\u00a0 &#8220;Resource&#8221;: &#8220;arn:aws:s3::acctname-region-cloudtrail&#8221;,<\/li>\n<\/ul>\n<\/li>\n<li>Under &#8220;Action&#8221;: &#8220;s3:PutObject&#8221;, add \/* to the end of the ARN\n<ul>\n<li>Example: &#8220;Resource&#8221;: &#8220;arn:aws:s3::acctname-region-cloudtrail<strong>\/*<\/strong>&#8220;,<\/li>\n<\/ul>\n<\/li>\n<li>Make sure the Principal Service is set for CloudTrail (2 places)\n<ul>\n<li>Example: &#8220;Principal&#8221;: { &#8220;Service&#8221;: &#8220;cloudtrail.amazonaws.com&#8221; },<\/li>\n<\/ul>\n<\/li>\n<li>[ Save ]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>acctname-region-conrfig\n<ul>\n<li>Add the cloud trail bucket policy\n<ul>\n<li>Make sure you edit the default policy&#8217;s arn to match that of the current bucket (2 places)\n<ul>\n<li>Example:\u00a0 &#8220;Resource&#8221;: &#8220;arn:aws:s3::acctname-region-config&#8221;,<\/li>\n<\/ul>\n<\/li>\n<li>Under &#8220;Action&#8221;: &#8220;s3:PutObject&#8221;, add \/* to the end of the ARN\n<ul>\n<li>Example: &#8220;Resource&#8221;: &#8220;arn:aws:s3::acctname-region-config<strong>\/*<\/strong>&#8220;,<\/li>\n<\/ul>\n<\/li>\n<li>Make sure the Principal Service is set for Config (2 places)\n<ul>\n<li>Example: &#8220;Principal&#8221;: { &#8220;Service&#8221;: &#8220;config.amazonaws.com&#8221; },<\/li>\n<\/ul>\n<\/li>\n<li>[ Save ]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Setup CloudTrail in the remote acct.\n<ul>\n<li>Services &gt; CloudTrail &gt; Trails &gt; [ Create trail ]\n<ul>\n<li>Trail name:<\/li>\n<li>Apply to all regions: yes or no<\/li>\n<\/ul>\n<\/li>\n<li>Storage location\n<ul>\n<li>Create a new S3 bucket: ( x ) No<\/li>\n<li>S3 bucket: Use the corresponding S3 bucket&#8217;s name you created previously for the CloudTrail service.<\/li>\n<\/ul>\n<\/li>\n<li>[ Create ]<\/li>\n<\/ul>\n<\/li>\n<li>Setup Config in the remote account.\n<ul>\n<li>Service &gt; Config &gt; [ Get started ]<\/li>\n<li>&gt; Settings\n<ul>\n<li>Resource types to record\n<ul>\n<li>All resources: [ x ] Record all resources supported in this region<\/li>\n<\/ul>\n<\/li>\n<li>Amazon S3 bucket\n<ul>\n<li>( x ) Choose a bucket from another account<\/li>\n<\/ul>\n<\/li>\n<li>Bucket name: Use the corresponding S3 bucket&#8217;s name you created previously for the Config service.<\/li>\n<li>AWS Config role: ( x ) Use an existing AWS Config service-linked role<\/li>\n<li>[ Next ]<\/li>\n<\/ul>\n<\/li>\n<li>&gt; AWS Config Rules\n<ul>\n<li>[ Skip ]<\/li>\n<\/ul>\n<\/li>\n<li>&gt; Review\n<ul>\n<li>[ Confirm ]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Confirm everything is setup correctly\n<ul>\n<li>In the Shared acct &gt; S3 &gt; config bucket you should see the following structure\n<ul>\n<li>\/AWSLogs\/ACCTNUMBER\/Config\/Config\n<ul>\n<li>WriteabilityCheckFile: verifies the bucket permissions are set correctly.\u00a0 If this file doesn&#8217;t exist, the config account cannot write to the bucket.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Similar results for CloudTrail.\u00a0 This will take longer to create and will not create the writeability check file.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Main Menu Menu Centralized Logging Architecture Cross-Account Logging for CloudTrail and Config Centralized Logging Architecture https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13249226?start=0 Overview A comprehensive long management and analysis strategy is mission criditcal in an organization. It enable the organizations to understand the relationship between operational, security and change management events and maintain a comprehensive understanding of their infrastructure. Logs from ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=1662\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,38],"tags":[],"class_list":["post-1662","post","type-post","status-publish","format-standard","hentry","category-amazon-web-services-aws","category-certified-solutions-architect-professional"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1662","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1662"}],"version-history":[{"count":7,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1662\/revisions"}],"predecessor-version":[{"id":1670,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1662\/revisions\/1670"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1662"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1662"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1662"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}