AWS Config - baseline for enabling access logging and S3 buckets in member accounts


Hello Team.

I am searching some way to create a baseline with config rules or another aws service for enabling access logging and S3 buckets in member accounts to collect logs in every AWS Account, and to replicate these logs to a central S3 buckets in log archive account. Is there any way? or how have you automated the process for enabling s3 access logging in all accounts under organizations?

Thank you

asked 8 months ago299 views
1 Answer


To achieve this kind of automation, you can use a combination of AWS services (Primarily, Config rule, Lambda Function, and CFn Stacksets).

Flow could look like this:

  1. Create a Config rule that checks whether S3 Access Logging is enabled on S3 buckets [1]. If not, it triggers a remediation action.
  2. Create a Lambda function for remediation action to enable S3 Access logging. You can, alternatively, use SSM Automation for remediation action [2].
  3. Create a Cloudformation Stackset to deploy them (Config rule & Lambda) across all accounts in your Organizations [3].

Note: You would also need to configure appropriate IAM roles and permissions for the resources.

For aggregating logs to a central S3 buckets in log archive account, you would need to add replication rules to your existing buckets, and configure the destination bucket(s) in the central logging account. It depends on a lot of factors on how you want your logging design to be, including, replication of all buckets or just a few, whether they will all be replicated to one bucket or different, and so on. You can accordingly design and create automation for the same. If you need further insights on this, please share your specific requirements on this.



profile picture
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions