Open thetechbender opened 1 year ago
Following up on this, it looks v1.3.1 included a feature to add a prefix for GuardDuty, ELB and AWS Config exports: feat (logs): S3 prefixes for GuardDuty, Config and ELB .
Looking at the commit, it appears that it does not implement a prefix for AWS Config event export to S3.
I corroborated this in my LZA deployments in us-east-1 and us-gov-west-1. Logs are not sent to S3 with a prefix. They are sent to the root of the S3 bucket under AWSLogs
.
Is this intended behavior?
Hi Edward! Thank you for reaching out regarding specifying a custom s3 bucket and object prefix for AWS Config data. Per your latest comment, yes, this is intended behavior. However, I have submitted a feature request to proceed in allowing end-users the ability to specify a new destination in S3 for your AWS Config logs.
I will leave this ticket open in the meantime to provide updates on when this feature becomes available. Should you have any other related questions or concerns in the meantime, please do not hesitate to reach out.
Hi Team, I would appreciate an update on this ticket :)
Is your feature request related to a problem? Please describe. Right now, AWS Config logs are exported to the central logging bucket in the log archive account.
It is possible to store AWS Config logs with a custom S3 Object Prefix as part of the destination ARN. In the current implementation of LZA, AWS Config logs are not stored with a custom S3 Object prefix.
The LZA configuration bundles the AWS Config logs with other
AWSLogs
such as GuardDuty Logs. The Logs are collectively stored underAWSLogs/{AWS::AccountId}
. See this screenshot where GuardDuty and Config logs are stored under the Account ID.This limits the capability to use S3 event notifications to send notifications when AWS Config events are written to the S3 Bucket. We use S3 event notifications integration with SQS as part of a solution to do log processing and analytics on AWS Config logs. S3 event notifications do not support wildcards in prefix filters, so we cannot set up a single S3 event notification filter for all AWS Config Logs. Instead, we would have to create a new S3 event notification with a filter for every new Account ID in the landing zone, which adds additional complexity and has scaling issues.
Describe the feature you'd like Allow the capability to specify S3 Prefix for
awsConfig
as part of the Delivery Channel settings insecurity-config.yml
.