AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約

Control Tower Log Sharing with Individual Accounts

0

I have a log use case and I'm looking for a best practice in the context of Control Tower.

With Control Tower we have an org level cloud trail that consolidates CloudTrail logs into our logging account, dividing them up by sub-folder for each account.

The teams that own the accounts would like to have access to their own logs. What's the best way to do this? Should I sync the logs out of that central bucket and back out into the individual accounts? Establish a second trail within the account itself?

2回答
2
承認された回答

Hi There

Both of your approaches will work, it may just come down to cost. With S3 replication, you are only going to pay for the S3 charges and you have the option of storing the logs in a lower tier storage class in the destination bucket so this may be the cheaper way. See Replication Pricing. With Cloudtrail, you are going to pay for the additional trail PLUS the S3 storage.

You can setup a replication rule the log Archive account on the CloudTrail Logs bucket to replicate the logs to a bucket in the member account. You can filter the replication rule to only replicate the member account prefix which is <org_id>/AWSLogs/<org_id>/<acct_id>/

You can follow the steps here to create a bucket in the member account that the source account will be able to replicate to.

You can also grant access to member accounts directly to the source bucket. See https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharing-logs.html

profile pictureAWS
エキスパート
回答済み 2年前
profile picture
エキスパート
レビュー済み 7ヶ月前
profile picture
エキスパート
レビュー済み 8ヶ月前
  • Thank you Matt, I think these were the considerations I was looking for

  • No Problem!. Also be aware that the member account already has access to the last 90 days of events in their own account through the CloudTrail console without doing any of the above.

0
AWS
回答済み 2年前
  • Thank you Kishor, But let me drill down on the use case a little and see if this still fits: I would like to grant these member accounts access to the logs, but I want them ONLY to have access to their own account related logs. It looks like this would give them visibility to everything which is not desirable.

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ