Hello Team.
I have implemented Control Tower, so I have management, audit, log archive and additional member accounts.
This setup has activated in every account some services suchs as:
AWS Config, Cloudtrail, Cloudwatch logs, Lambda, EventBridge, SNS. S3 buckets (Log Archive). Additional I have enabled Controls (Guardrails), Security Hub, GuardDuty, Conformance Packs, VPC Flow Logs.
I noticed for some events I received sns notifications from Audit account, but I have some questions:
- When I need to make troubleshooting for some account or service, where I should see or search? Cloudtrail, Cloudwatch logs, Lambda, EventBridge, SNS. S3 buckets (Log Archive)?
- I have 02 S3 buckets created by Control Tower in Log Archive account, what is it stored in these buckets?, I was not be able to see the content.
- I have Cloudwatch Log in management account, where I think is stored all logs about every account. Is it correct, or what it is stored in CW logs?
- AWS Config is enabled in all accounts, but I have to enter in every account to see non-compliant rules, for example rules about conformance packs. Is there any option for centralized view for all accounts?.
- AWS Cloudtrail is enabled in all accounts, but I have to enter in every account to see events, or is there any option for centralized view for all accounts?
- SNS is enabled in Audit account, and also in every account. For which events, logs, non-compliant services I will receive sns notifications, and frequency?
- VPC Flow logs can publish to Cloudwatch logs or s3. Could I use the existing CW logs from management account, or s3 buckets from Log Archive, or I should create new ones?
- I there any way to centralized logs for vpc flow or any logs from any service to Log Archive account? and try to obtain a centralized view?
- Apart from email of Audit account, could I use another email as sns notification?
Thanks a lot.