Open vennemp opened 3 years ago
The central and logging accounts, which are core accounts, store their logs directly in the logging account. The environment accounts (management services, transit, and any defined tenant accounts) send their logs to the management services account.
This design decision stems from the DoD requirement that there be an immutable location for logs, which is represented by an s3 bucket hosting the consolidated logs in the logging account. One of the additional security requirements prescribed by the DoD is to use a log aggregation tool (or SIEM); these tools are hosted in the management services account and are not configured to directly access the immutable consolidated logs. Although this is not configured by default (because this would generate additional costs for the duplicate logs and may not be desirable in some use cases), we recommend that users of Compliant Framework configure s3 replication to copy environment account logs hosted in the management services account to the consolidated logs bucket in the logging account.
Thanks for the question!
The template has replication configured to send the logs in the management services account to the logging account but it is failing. The role used in the management services account is missing permission to change ownership in the destination bucket.
The role, ConsolidatedLogsReplicationRole, used by ConsolidatedLogs rule needs the following policy added:
{ "Effect":"Allow", "Action":[ "s3:ObjectOwnerOverrideToBucketOwner" ], "Resource":"arn:aws:s3:::destination-bucket/*" }
Some accounts send to a bucket in the logging account some send to the management account - it is applied via a security baseline. This is 100% against AWS best practice - why have two different logging locations. Is there a parameter in the create_config.py file that changes this - if so, nothing stands out? I've run this framework in multiple organizations and all have the same issue - so this appears to be default. Please provide guidance.