search

awslabs / compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us

This solution enables you to quickly deploy a secure, scalable, multi-account environment in AWS GovCloud (US) based on AWS best practices. This solution is architected to follow the Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (SRG) for hosting Impact Level (IL) 4 and 5 workloads in the cloud. Using the Compliant Framework solution, you are able to quickly deploy an architecture baseline that accommodates U.S. federal and Department of Defense (DoD) requirements to rapidly achieve Authority to Operate (ATO). In addition, the Compliant Framework solution is also architected to support Cybersecurity Maturity Model Certification (CMMC) readiness.
https://aws.amazon.com/solutions/implementations/compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us/
Apache License 2.0
53 stars 26 forks source link

CloudTrail does not send all CloudTrail logs to an s3 bucket in logging #4

Open vennemp opened 3 years ago

vennemp commented 3 years ago

Some accounts send to a bucket in the logging account some send to the management account - it is applied via a security baseline. This is 100% against AWS best practice - why have two different logging locations. Is there a parameter in the create_config.py file that changes this - if so, nothing stands out? I've run this framework in multiple organizations and all have the same issue - so this appears to be default. Please provide guidance.

rgd11 commented 3 years ago

The central and logging accounts, which are core accounts, store their logs directly in the logging account. The environment accounts (management services, transit, and any defined tenant accounts) send their logs to the management services account.

This design decision stems from the DoD requirement that there be an immutable location for logs, which is represented by an s3 bucket hosting the consolidated logs in the logging account. One of the additional security requirements prescribed by the DoD is to use a log aggregation tool (or SIEM); these tools are hosted in the management services account and are not configured to directly access the immutable consolidated logs. Although this is not configured by default (because this would generate additional costs for the duplicate logs and may not be desirable in some use cases), we recommend that users of Compliant Framework configure s3 replication to copy environment account logs hosted in the management services account to the consolidated logs bucket in the logging account.

Thanks for the question!

ejsiii commented 3 years ago

The template has replication configured to send the logs in the management services account to the logging account but it is failing. The role used in the management services account is missing permission to change ownership in the destination bucket.

The role, ConsolidatedLogsReplicationRole, used by ConsolidatedLogs rule needs the following policy added:

{ "Effect":"Allow", "Action":[ "s3:ObjectOwnerOverrideToBucketOwner" ], "Resource":"arn:aws:s3:::destination-bucket/*" }