search

GSA / data.gov

Main repository for the data.gov service
https://data.gov
Other
585 stars 91 forks source link

Falco logs go to CloudWatch #3823

Open FuhuXia opened 2 years ago

FuhuXia commented 2 years ago

User Story

In order to meet SI-3, data.gov security wants all Falco logs to be collected in CloudWatch.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

Background

Logs above warning level are sent to Slack datagov-alerts channel by ticket https://github.com/GSA/data.gov/issues/3799 using slack webhoorurl. All logs should be collected in CloudWatch for record keeping.

Security Considerations (required)

Related to SI-3.

Sketch

The EKS has a CloudWatch log group created, Falco can send logs to it by setting falcosidekick.config.aws.cloudwatchlogs.loggroup, but its needs aws credentials. We need to figure out a way to pass AWS IAM Role to the Falco pods, Or, we use a Fluent Bit Daemonset to send all logs (Solr + Falco) to CloudWatch.

hkdctol commented 2 years ago

Moving to icebox for now since we're not doing EKS