search

scylladb / scylla-machine-image

Apache License 2.0
19 stars 26 forks source link

cloudformation script parameter - VPC : VPC should have a flow log attached #156

Closed yaronkaikov closed 1 year ago

yaronkaikov commented 3 years ago

AWS::EC2::VPC - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

Severity: Reccommended

slivne commented 3 years ago

I don't think we should implement this

This involves adding IAM roles access and thats a huge issue in itself - most compacnies are very restrictive with that - the outcome of this will be that less people can run the CloudFormation.

In my view the functionality gain provided here is very little compared to the limitation in usage we may have as we are adding a requirement to allow the CF runner have IAM privileges as well.

gnumoreno commented 3 years ago

@yaronkaikov @slivne

This involves adding IAM roles access and thats a huge issue in itself

Can you guys provide more clarity on this? Is this something from the documents or we tested and found it needs IAM? Is it because of DeliverLogsPermissionArn?

benipeled commented 3 years ago

FlowLogs saves the logs in one of two: CloudWatch log-group / S3 bucket,

In order to allow FlowLog to access a CloudWatch log-group, the users needs to create a IAM rule, which of course requires a high level of permissions,

The option to use s3 bucket doesn't require IAM creation but it's less efficient to keep logs in s3 without cloudwatch's analytics capabilities, so I'm not sure how much demand there will be for such an option,

In addition, users like short and simple process, the more fields/obstacles the more users will give up, so as long as it's not a mandatory requirement, IMO we should avoid it.

yaronkaikov commented 1 year ago

FlowLogs saves the logs in one of two: CloudWatch log-group / S3 bucket,

In order to allow FlowLog to access a CloudWatch log-group, the users needs to create a IAM rule, which of course requires a high level of permissions,

The option to use s3 bucket doesn't require IAM creation but it's less efficient to keep logs in s3 without cloudwatch's analytics capabilities, so I'm not sure how much demand there will be for such an option,

In addition, users like short and simple process, the more fields/obstacles the more users will give up, so as long as it's not a mandatory requirement, IMO we should avoid it.

Closing