- Newest
- Most votes
- Most comments
Hello Orlando,
I have provided the answers for your questions below:
-
Your understanding is correct with respect to the Log Archive account. The Log Archive account serves as the central hub for archiving logs across your AMS multi-account landing zone environment. There is an S3 bucket in the account that contains copies of AWS CloudTrail and AWS Config log files from each of the AMS multi-account landing zone environment accounts. You could use this account for your Centralized Logging solution with AWS Firehose, or Splunk, and so forth.
-
Yes, you can enable VPC flow logs and logs from other application to send their logs to the log archive account. Depending upon the application that you are using the configuration would be needed for the log delivery. For VPC logs you can go over the following blog post from AWS: [+]https://aws.amazon.com/blogs/mt/how-to-enable-vpc-flow-logs-automatically-using-aws-config-rules/
-
Yes, To receive compliance change notifications in email sent to your audit account, subscribe to this Amazon SNS topic: .arn:aws:sns:AWSRegion:AuditAccount:aws-controltower-AggregateSecurityNotifications
SNS topics and notifications you can receive
o The aws-controltower-AllConfigNotifications topic: It receives notifications from AWS Config regarding compliance, noncompliance, and change. It also receives notification from AWS CloudTrail on log file delivery.
o The aws-controltower-SecurityNotifications topic: One of these topics exists for each supported AWS Region. It receives compliance, noncompliance, and change notifications from AWS Config in that Region. It forwards all incoming notifications to aws-controltower-AggregateSecurityNotifications
o The aws-controltower-AggregateSecurityNotifications topic: This topic exists in each supported AWS Region. It receives compliance change notifications from the region
- AWS Control Tower accomplishes logging of actions and events automatically, through its integration with AWS CloudTrail and AWS Config, and it records them in CloudWatch. All actions are logged, including actions from the AWS Control Tower management account and from your organization's member accounts. You can setup a workflow depending on the SIEM tool and push all the logs from the S3 buckets to the SIEM that you are using. i have posted the following blog post for "Increasing observability in your AWS Control Tower landing zone with Dynatrace" [+]https://aws.amazon.com/blogs/awsmarketplace/increasing-observability-in-your-aws-control-tower-landing-zone-with-dynatrace/
Relevant content
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
I also have experience integrating these logs into Darktrace and azure sentinal