nakajiak
commented
3 years ago Thanks so much. We will enhance the architecture in the future. I'm not sure we will adopt your solution. but I like your solution.
Open Vitiate opened 3 years ago
nakajiak
commented
3 years ago Thanks so much. We will enhance the architecture in the future. I'm not sure we will adopt your solution. but I like your solution.
https://github.com/Vitiate/AWS_Sample/tree/main/python-cdk/event-bridge-s3-event-forwarding
I have added a link to the cdk I used to make this work for me. If you want to bring it in feel free.
This has reduced costs pretty substantially for us in terms of using lambda functions or sqs queues for cross account logfile injestion.
Basically it sets up a cloudtrail and bucket with a rule that monitors for s3 put notifications on the source account and forwards them to an event bus on the aes-siem logging account.
The eventbus is configured to allow an orgid to send events to it. There is a rule on the aes-siem account that watches for an s3 put notification and transforms it to the format required by the aes-loader function. The function then connects to the other accounts s3 bucket and loads the log file.
Permissions for the aes-siem account loader function must be applied to the bucket that you are monitoring. And the function needs permission to access other accounts buckets.
This works for cross account and cross region log file loading.
The event-bridge-shipper must be deployed in every account and every region (in use), the event-bridge-reciever only needs to be deployed into the aes-siem account.
I have set a default on the life cycle for the cloudtrail bucket to only retain objects for 1 day before deleting them, this should be a pretty low cost solution. It cut our spend in 1/2 replacing the lambda functions I was using to forward/proxy/fan out, the s3 notifications.