search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
542 stars 431 forks source link

AWS Config - Specify S3 Prefix for AWS Config logs #60

Open thetechbender opened 1 year ago

thetechbender commented 1 year ago

Is your feature request related to a problem? Please describe. Right now, AWS Config logs are exported to the central logging bucket in the log archive account.

It is possible to store AWS Config logs with a custom S3 Object Prefix as part of the destination ARN. In the current implementation of LZA, AWS Config logs are not stored with a custom S3 Object prefix.

The LZA configuration bundles the AWS Config logs with other AWSLogs such as GuardDuty Logs. The Logs are collectively stored under AWSLogs/{AWS::AccountId}. See this screenshot where GuardDuty and Config logs are stored under the Account ID.

image

This limits the capability to use S3 event notifications to send notifications when AWS Config events are written to the S3 Bucket. We use S3 event notifications integration with SQS as part of a solution to do log processing and analytics on AWS Config logs. S3 event notifications do not support wildcards in prefix filters, so we cannot set up a single S3 event notification filter for all AWS Config Logs. Instead, we would have to create a new S3 event notification with a filter for every new Account ID in the landing zone, which adds additional complexity and has scaling issues.

Describe the feature you'd like Allow the capability to specify S3 Prefix for awsConfig as part of the Delivery Channel settings in security-config.yml. 

awsConfig:
  enableConfigurationRecorder: true
  enableDeliveryChannel: true
thetechbender commented 1 year ago

Following up on this, it looks v1.3.1 included a feature to add a prefix for GuardDuty, ELB and AWS Config exports: feat (logs): S3 prefixes for GuardDuty, Config and ELB .

Looking at the commit, it appears that it does not implement a prefix for AWS Config event export to S3.

I corroborated this in my LZA deployments in us-east-1 and us-gov-west-1. Logs are not sent to S3 with a prefix. They are sent to the root of the S3 bucket under AWSLogs.

Is this intended behavior?

bo1984 commented 11 months ago

Hi Edward! Thank you for reaching out regarding specifying a custom s3 bucket and object prefix for AWS Config data. Per your latest comment, yes, this is intended behavior. However, I have submitted a feature request to proceed in allowing end-users the ability to specify a new destination in S3 for your AWS Config logs.

I will leave this ticket open in the meantime to provide updates on when this feature becomes available. Should you have any other related questions or concerns in the meantime, please do not hesitate to reach out.

joshuahigginson1 commented 6 months ago

Hi Team, I would appreciate an update on this ticket :)