search

elastic / observability-docs

Elastic Observability Documentation
Other
33 stars 161 forks source link

[AWS monitoring]: Add CloudTrail use case for Amazon Data Firehose #3819

Closed alaudazzi closed 5 months ago

alaudazzi commented 5 months ago

Description

Add a new section on how to collect CloudTrail events and send them to an Elastic Cloud deployment using Amazon Data Firehose.

Resources

Initial content has been drafted in https://github.com/zmoog/public-notes/issues/80. The procedure needs to be tested.

Which documentation set does this change impact?

Stateful and Serverless

Feature differences

None

What release is this request related to?

N/A

Collaboration model

The documentation team

Point of contact.

@zmoog

alaudazzi commented 5 months ago

@zmoog While testing the procedure you drafted in https://github.com/zmoog/public-notes/issues/80, I created this draft PR to check how this fits within the overall doc structure.

Note about the drawings: I find them really cool and very useful, however, I'm not sure about the accessibility/readability of the font.

alaudazzi commented 5 months ago

I went through the steps and we might want to clarify the following points:

  1. how to use the AWS KMS alias. Without that, you cannot move to the next panel.
  2. encryption policy -- when I clicked Create trail after the Review and Create, I got this message: InsufficientEncryptionPolicyException Insufficient permissions to access S3 bucket aws-cloudtrail-logs-627286350134-b09fb06a or KMS key arn:aws:kms:eu-north-1:627286350134:key/38ce7701-5485-4275-827a-c853d7cb1b61.
zmoog commented 5 months ago

Note about the drawings: I find them really cool and very useful, however, I'm not sure about the accessibility/readability of the font.

Good point! I'll review the ones who survive the edits from this perspective.

how to use the AWS KMS alias. Without that, you cannot move to the next panel.

Got it.

I edited that section in the issue thread so clarify what's expected from the user at that point.

Encryption options When exporting data from CloudTrail to S3, it is recommended to enable "Log file SSE-KMS encryption". You can pick your > preferred option using an existing or creating a new AWS KMS key.

Novice users can probably opt for creating a new key for simplicity. More experienced user probably have their opinions and maybe event company policy mandating how to set up AWS KMS keys and probably don't need much guidance.

alaudazzi commented 5 months ago

Content finalized with https://github.com/elastic/observability-docs/pull/3823. Closing.