search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
548 stars 434 forks source link

Control Tower and LZA logging duplication #264

Open priolix opened 1 year ago

priolix commented 1 year ago

Describe the bug CloudTrail logs seem to be replicated when the solution is deployed alongside AWS Control Tower.

To Reproduce Steps to reproduce the behavior:

  1. Deploy the solution alongside AWS Control Tower. image
  2. Observe the replication of CloudTrail logs.

Expected behavior CloudTrail logs should not be replicated when the solution is deployed alongside AWS Control Tower.

Please complete the following information about the solution:

Additional context CloudTrail log duplication appears to be related to the deployment of the solution alongside AWS Control Tower. AWS Config logs indicate that only logs from the master account are stored by the accelerator. global-config.yaml :

homeRegion: &HOME_REGION ca-central-1
enabledRegions:
  - *HOME_REGION
managementAccountAccessRole: AWSControlTowerExecution
cloudwatchLogRetentionInDays: 3653
terminationProtection: true
centralizeCdkBuckets:
  enable: true
controlTower:
  enable: true
logging:
  account: LogArchive
  cloudtrail:
    enable: false
    organizationTrail: false
    organizationTrailSettings:
      multiRegionTrail: true
      globalServiceEvents: true
      managementEvents: true
      s3DataEvents: true
      lambdaDataEvents: true
      sendToCloudWatchLogs: true
      apiErrorRateInsight: false
      apiCallRateInsight: false
    accountTrails:
      - name: AccountTrail
        regions:
          - *HOME_REGION
        deploymentTargets:
          accounts: []
          organizationalUnits:
            - Root
        settings:
          multiRegionTrail: true
          globalServiceEvents: true
          managementEvents: true
          s3DataEvents: true
          lambdaDataEvents: true
          sendToCloudWatchLogs: true
          apiErrorRateInsight: false
          apiCallRateInsight: false
  sessionManager:
    sendToCloudWatchLogs: false
    sendToS3: true
  cloudwatchLogs:
    dynamicPartitioning: dynamic-partitioning/log-filters.json
reports:
  costAndUsageReport:
    compression: Parquet
    format: Parquet
    reportName: accelerator-cur
    s3Prefix: cur
    timeUnit: DAILY
    refreshClosedReports: true
    reportVersioning: CREATE_NEW_REPORT

Landing Zone Accelerator Landing Zone Accelerator deploys its own logging configuration, including security-config.yaml and various log types such as AWSLogs, Cloudtrail-AccountTrail, CloudWatchLogs, cur, session, and vpc-flow-logs. It also handles S3 access logs for the accelerator.

├── AWSLogs -> Config
├── Cloudtrail-AccountTrail
├── AWSLogs -> Contain Cloud Trail logs for each account Possible duplication
|   ├── 503892147625
|   └── 726149830512
├──CloudWatchLogs
|   ├── 2022
|   ├── 2023
|   ├── processing-failedprocessing-failed
|   └── security-hub
├──cur
├──session -> SSM console history
└──vpc-flow-logs

Control Tower Control Tower also manages logging, including AWS ControlTowerCloudTrailRole and aws-controltower-logs-918467205374-ca-central-1 log group. This log group contains logs related to Control Tower and AWSConfig logs for each account.

└── aws-controltower-logs-918467205374-ca-central-1
    └── o-rg4kpt73sw
        └── AWSLogs
                ├── 503892147625 -> contain each day the config snapshot
                ├── 726149830512
                └── o-rg4kpt73sw -> Contain per account CloudTrail-Digest and CloudTrail
                    ├── 503892147625 -> Contain Cloud Trail logs for each account Possible duplication
                    └── 726149830512

To resume We are facing 2 problems :

  1. We have a log duplication one by control tower the other one by the LZA solution.
  2. LZA AWSLogs contains only the ConfigSnapshot for the master account (The Control Tower one for all accounts)
bo1984 commented 1 year ago

Hi Adrien! Thank you for utilizing the Landing Zone Accelerator on AWS (LZA) solution. LZA was designed to be modular for when AWS Control Tower was not available in regions/partitions for customers. If you're using AWS Control Tower, the service will automatically configure account-level CloudTrails (for each account in AWS Control Tower's management). In this case, you don't have to enable CloudTrail for your accounts, to help avoid duplication.

In terms of point 2 regarding only see the ConfigSnapshot, the aws-accelerator-central-logs bucket contains logs for services that you enable through the Accelerator such as AWS CloudWatch Logs, GuardDuty, etc...

I will leave this issue open should you have any other questions or concerns.

atte-hemminki commented 10 months ago

Hi, what would be the recommended way for setting up the logging in the global-config.yaml? Assuming that Control Tower is used and we would like to avoid log duplication.

ardens-jw commented 7 months ago

Hi @bo1984 - I'm also curious with regards to the above and echo @atte-hemminki's quesion.