AWS Cloudwatch - centralized logs

0

Hello Team.

I have some questions: 1.- I have Control Tower implemented, this created Log Archive account, where I understand all logs from accounts are stored, rigth?, logs from Cloudtrail, Config or anything else?

2.-I would like to enable VPC Flow logs and logs from another apps, it is possible? I only should provide the s3 bucket location used for Log Archive?

3.-Also, I understand that Audit account will send notifications for non-compliance using the email associated to Audit account. Could I add another email for these notifications?

4.-I understand AWS Control Tower uses Cloudwatch logs for centralized logs, correct? If so, could AWS centralized logs integrate to some SIEM or monitoring application such as Elastic, Dynatrace, etc?

Thank you.

1 Answer
0

Hello Orlando,

I have provided the answers for your questions below:

  1. Your understanding is correct with respect to the Log Archive account. The Log Archive account serves as the central hub for archiving logs across your AMS multi-account landing zone environment. There is an S3 bucket in the account that contains copies of AWS CloudTrail and AWS Config log files from each of the AMS multi-account landing zone environment accounts. You could use this account for your Centralized Logging solution with AWS Firehose, or Splunk, and so forth.

  2. Yes, you can enable VPC flow logs and logs from other application to send their logs to the log archive account. Depending upon the application that you are using the configuration would be needed for the log delivery. For VPC logs you can go over the following blog post from AWS: [+]https://aws.amazon.com/blogs/mt/how-to-enable-vpc-flow-logs-automatically-using-aws-config-rules/

  3. Yes, To receive compliance change notifications in email sent to your audit account, subscribe to this Amazon SNS topic: .arn:aws:sns:AWSRegion:AuditAccount:aws-controltower-AggregateSecurityNotifications

SNS topics and notifications you can receive

o The aws-controltower-AllConfigNotifications topic: It receives notifications from AWS Config regarding compliance, noncompliance, and change. It also receives notification from AWS CloudTrail on log file delivery.

o The aws-controltower-SecurityNotifications topic: One of these topics exists for each supported AWS Region. It receives compliance, noncompliance, and change notifications from AWS Config in that Region. It forwards all incoming notifications to aws-controltower-AggregateSecurityNotifications

o The aws-controltower-AggregateSecurityNotifications topic: This topic exists in each supported AWS Region. It receives compliance change notifications from the region

  1. AWS Control Tower accomplishes logging of actions and events automatically, through its integration with AWS CloudTrail and AWS Config, and it records them in CloudWatch. All actions are logged, including actions from the AWS Control Tower management account and from your organization's member accounts. You can setup a workflow depending on the SIEM tool and push all the logs from the S3 buckets to the SIEM that you are using. i have posted the following blog post for "Increasing observability in your AWS Control Tower landing zone with Dynatrace" [+]https://aws.amazon.com/blogs/awsmarketplace/increasing-observability-in-your-aws-control-tower-landing-zone-with-dynatrace/
AWS
answered a year ago
profile picture
EXPERT
reviewed a year ago
  • I also have experience integrating these logs into Darktrace and azure sentinal

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions