How to harmonize logs in Control Tower Logging Account

0

Hi, I am searching for best way how to harmonize logs in Control Tower Logging Account and am not able to find a suitable answer in AWS documentation.

Requirements:

  • Environment is a multi-account setup with help of AWS Control Tower, aggregating all logs from member accounts into a central Logging account
  • Logs from multiple AWS services should be aggregated in a structured and harmonized way

Issue:

  • AWS Control Tower enables two AWS logging services by default: CloudTrail and Config
  • Both services store their log files in a different bucket structure as seen below (see "situation")
  • As both services are managed by Control Tower we seem to be unable to change the structure how logs are stored
  • We would like to harmonize the structure for better log processing (for CloudTrail, Config, and potentially other, like FlowLogs)

Situation:

  • Structure for CloudTrail:
    {bucketname}/{org-id}/AWSLogs/{org-id}/{account#}/CloudTrail/*
  • Structure for Config:
    {bucketname}/{org-id}/AWSLogs/{account#}/Config/*

-> Expected:
Every AWS service logs in same structure - without the second {org-id} ->
{bucketname}/{org-id}/AWSLogs/{account#}/{aws-service}/*

1 Answer
3
Accepted Answer

Hello Andre,

I think AWS Control Tower has certain limitations when it comes to changing the default log storage structure for AWS services like CloudTrail and Config.

However, you can work around these limitations by configuring log data forwarding from Control Tower's logging account to your desired centralized location. Try the following high-level approach to harmonize logs from multiple AWS services in a multi-account setup:

  1. Centralized Logging Account Setup:

    • Ensure that you have a dedicated centralized logging account that will receive and harmonize logs from multiple member accounts.
  2. Create S3 Buckets for Harmonized Logs:

    • In the centralized logging account, create S3 buckets with the desired structure for each AWS service you want to aggregate logs for. For example:
      s3://central-logging-bucket/CloudTrail/
      s3://central-logging-bucket/Config/
      
  3. Set Up Cross-Account Access:

    • In each member account, configure cross-account access permissions to allow the centralized logging account to access the S3 buckets created in step 2. Use bucket policies and IAM roles to establish these permissions.
  4. Configure CloudTrail Log Forwarding:

    • In each member account, configure CloudTrail to deliver log files to the centralized logging S3 bucket created for CloudTrail logs. You can set up log file validation to ensure data integrity during transit.
  5. Configure Config Log Forwarding (Optional):

    • Similar to CloudTrail, you can configure AWS Config to deliver log files to the centralized logging S3 bucket created for Config logs. This might require custom Lambda functions or other mechanisms depending on your specific requirements.
  6. Other AWS Service Log Forwarding (Optional):

    • For other AWS services like VPC Flow Logs or Lambda logs, follow similar procedures to configure log forwarding to the centralized logging S3 buckets.
  7. Harmonize Data in Centralized Storage:

    • Once logs are delivered to the centralized S3 buckets, you can implement Lambda functions, AWS Glue, or other ETL (Extract, Transform, Load) processes to harmonize the data into the desired structure. You can organize the data by account, service, and time as needed.
  8. Set Up Log Analytics and Monitoring:

    • Implement log analytics and monitoring solutions in the centralized logging account to efficiently search, analyze, and visualize the log data. AWS services like Amazon Athena, Amazon Elasticsearch, or third-party tools can help with this.
  9. Testing and Validation:

    • Ensure that log forwarding and harmonization processes work as expected by testing them in a controlled environment. Verify that logs are organized and stored according to your requirements.
  10. Documentation and Maintenance:

    • Document the log forwarding and harmonization processes and ensure that they are well-documented for future reference and maintenance.

Please give a thumbs if my suggestion helps

profile picture
answered a year ago
profile picture
EXPERT
reviewed 5 months ago
  • Thanks a lot for your comprehensive answer. Forwarding the logs to a desired structure would mean each log needs to be written twice, which means I would generate double the cost than required - at least compared to a situation where I could configure the structure.

    Considering the price impact: Any additional comments on this?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions