Skip to content

Commit fcd30f3

Browse files
jblaplaceBrian969
jblaplace
and
Brian969
authored
Added information on how to create a Route53 Private Hosted Zone in a… (#929)
* Added information on how to create a Route53 Private Hosted Zone in a workload account. * Add "ssm-inventory-collection": true to all OUs in example config files * fix FAQ formatting, add more answers * Tweaks-for-v151 Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com>
1 parent 1a64f6e commit fcd30f3

16 files changed

+409
-56
lines changed

README.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,7 @@ Specifically the accelerator deploys and manages the following functionality, bo
8686
- Creates Customer Managed KMS Keys (SSM, EBS, S3), EC2 key pairs, and secrets
8787
- Enables account level default EBS encryption and S3 Block Public Access
8888
- Configures Systems Manager Session Manager w/KMS encryption and centralized logging
89+
- Configures Systems Manager Inventory w/centralized logging
8990
- Creates and configures AWS budgets (customizable per ou and per account)
9091
- Imports or requests certificates into AWS Certificate Manager
9192
- Deploys both perimeter and account level ALB's w/Lambda health checks, certificates and TLS policies
@@ -94,7 +95,7 @@ Specifically the accelerator deploys and manages the following functionality, bo
9495
- Protects Accelerator deployed and managed objects
9596
- Sets Up SNS Alerting topics (High, Medium, Low, Blackhole priorities)
9697
- Deploys CloudWatch Log Metrics and Alarms
97-
- Deploys customer provided custom config rules (1 provided out-of-box, No EC2 Instance Profile)
98+
- Deploys customer provided custom config rules (2 provided out-of-box, no EC2 Instance Profile/Permissions)
9899

99100
### Centralized Logging and Alerting
100101

@@ -110,6 +111,8 @@ Specifically the accelerator deploys and manages the following functionality, bo
110111
- GuardDuty Findings
111112
- Macie Discovery results
112113
- ALB Logs
114+
- SSM Inventory **(NEW)**
115+
- Security Hub findings **(NEW)**
113116
- SSM Session Logs (also sent to CWL)
114117
- Resolver Query Logs (also sent to CWL)
115118
- Email alerting for CloudTrail Metric Alarms, Firewall Manager Events **(NEW)**, Security Hub Findings incl. Guardduty Findings **(NEW)**

docs/architectures/pbmm/log-file-locations.md

Lines changed: 19 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -29,29 +29,34 @@
2929

3030
---
3131

32-
| Log Type | Folder Path | Example |
33-
| ----------------------- | ----------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
34-
| ELB (in AES bucket) | {account#}/elb-{elbname}/AWSLogs/{account#}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-aescacentral1-1py9vr4ucwuxu/123456789012/elb-Core-mydevacct1-alb/AWSLogs/123456789012/ELBAccessLogTestFile </li></ul><ul><li>s3://pbmmaccel-logarchive-phase0-aescacentral1-1py9vr4ucwuxu/123456789013/elb-Public-Prod-perimeter-alb/AWSLogs/123456789013/ELBAccessLogTestFile </li></ul> |
35-
| VPC Flow Logs | {account#}/{vpc-name}/AWSLogs/{account#}/vpcflowlogs/{region}/{year}/{month}/{day}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/123456789012/Test-East-lcl/AWSLogs/123456789012/vpcflowlogs/us-east-1/2020/08/31/123456789012_vpcflowlogs_us-east-1_fl-04af3543c74402594_20200831T1720Z_73d3922a.log.gz </li></ul> |
36-
| Macie Reports | {account#}/macietestobject | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/123456789014/macie-test-object </li></ul> |
37-
| Cost and Usage Reports | {account#}/cur/Cost-and-Usage-Report/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/123456789015/cur/Cost-and-Usage-Report/\* </li></ul> |
38-
| Config History\* | AWSLogs/{account#}/Config/{region}/{year}/{month}/{day}/ConfigHistory/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/AWSLogs/123456789016/Config/ca-central-1/2020/8/31/ConfigHistory/123456789016_Config_ca-central-1_ConfigHistory_AWS::CloudFormation::Stack_20200831T011226Z_20200831T025845Z_1.json.gz </li></ul> |
39-
| Config Snapshot\* | AWSLogs/{account#}/Config/{region}/{year}/{month}/{day}/ConfigSnapshot/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/AWSLogs/123456789016/Config/ca-central-1/2020/8/30/ConfigSnapshot/123456789016_Config_ca-central-1_ConfigSnapshot_20200830T193058Z_5d173149-e6d0-41e4-af7f-031ff736f8c8.json.gz </li></ul> |
40-
| GuardDuty | AWSLogs/{account#}/GuardDuty/{region}/{year}/{month}/{day}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/AWSLogs/123456789014/GuardDuty/ca-central-1/2020/09/02/294c9171-4867-3774-9756-f6f6c209616f.jsonl.gz </li></ul> |
41-
| CloudWatch Logs | CloudWatchLogs/{year}/{month}/{day}/{hour}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/CloudWatchLogs/2020/08/30/00/PBMMAccel-Kinesis-Delivery-Stream-1-2020-08-30-00-53-33-35aeea4c-582a-444b-8afa-848567924094 </li></ul> |
42-
| CloudTrail Digest\*\*\* | {org-id}/AWSLogs/{org-id}/{account#}/CloudTrail-Digest/{region}/{year}/{month}/{day}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/o-fxozgwu6rc/AWSLogs/o-fxozgwu6rc/123456789016/CloudTrail-Digest/ca-central-1/2020/08/30/123456789016_CloudTrail-Digest_ca-central-1_PBMMAccel-Org-Trail_ca-central-1_20200830T190938Z.json.gz </li></ul> |
43-
| CloudTrail Insights\*\* | {org-id}/AWSLogs/{org-id}/{account#}/CloudTrail-Insights/{region}/{year}/{month}/{day}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/o-fxozgwu6rc/AWSLogs/o-fxozgwu6rc/123456789015/CloudTrail-Insight/ca-central-1/2020/09/23/123456789015_CloudTrail-Insight_ca-central-1_20200923T0516Z_KL5e9VCV2SS7IqzB.json.gz </li></ul> |
44-
| CloudTrail\*\*\* | {org-id}/AWSLogs/{org-id}/{account#}/CloudTrail/{region}/{year}/{month}/{day}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/o-fxozgwu6rc/AWSLogs/o-fxozgwu6rc/123456789016/CloudTrail/ca-central-1/2020/08/30/123456789016_CloudTrail_ca-central-1_20200830T0115Z_3YQJxwt5qUaOzMtL.json.gz </li></ul> |
45-
| CT S3 Access Logs | {no folders} | <ul><li> s3://aws-controltower-s3-access-logs-123456789012-ca-central-1/2021-04-26-18-11-21-8647E1080048E5CB </li></ul> |
32+
| Log Type | Folder Path | Example |
33+
| ----------------------- | -------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
34+
| ELB (in AES bucket) | {account#}/elb-{elbname}/AWSLogs/{account#}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-aescacentral1-1py9vr4ucwuxu/123456789012/elb-Core-mydevacct1-alb/AWSLogs/123456789012/ELBAccessLogTestFile </li></ul><ul><li>s3://pbmmaccel-logarchive-phase0-aescacentral1-1py9vr4ucwuxu/123456789013/elb-Public-Prod-perimeter-alb/AWSLogs/123456789013/ELBAccessLogTestFile </li></ul> |
35+
| VPC Flow Logs | {account#}/{vpc-name}/AWSLogs/{account#}/vpcflowlogs/{region}/{year}/{month}/{day}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/123456789012/Test-East-lcl/AWSLogs/123456789012/vpcflowlogs/us-east-1/2020/08/31/123456789012_vpcflowlogs_us-east-1_fl-04af3543c74402594_20200831T1720Z_73d3922a.log.gz </li></ul> |
36+
| Macie Reports | {account#}/macietestobject | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/123456789014/macie-test-object </li></ul> |
37+
| Cost and Usage Reports | {account#}/cur/Cost-and-Usage-Report/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/123456789015/cur/Cost-and-Usage-Report/\* </li></ul> |
38+
| Config History\* | AWSLogs/{account#}/Config/{region}/{year}/{month}/{day}/ConfigHistory/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/AWSLogs/123456789016/Config/ca-central-1/2020/8/31/ConfigHistory/123456789016_Config_ca-central-1_ConfigHistory_AWS::CloudFormation::Stack_20200831T011226Z_20200831T025845Z_1.json.gz </li></ul> |
39+
| Config Snapshot\* | AWSLogs/{account#}/Config/{region}/{year}/{month}/{day}/ConfigSnapshot/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/AWSLogs/123456789016/Config/ca-central-1/2020/8/30/ConfigSnapshot/123456789016_Config_ca-central-1_ConfigSnapshot_20200830T193058Z_5d173149-e6d0-41e4-af7f-031ff736f8c8.json.gz </li></ul> |
40+
| GuardDuty | AWSLogs/{account#}/GuardDuty/{region}/{year}/{month}/{day}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/AWSLogs/123456789014/GuardDuty/ca-central-1/2020/09/02/294c9171-4867-3774-9756-f6f6c209616f.jsonl.gz </li></ul> |
41+
| CloudWatch Logs\*\*\*\* | CloudWatchLogs/{year}/{month}/{day}/{hour}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/CloudWatchLogs/2020/08/30/00/PBMMAccel-Kinesis-Delivery-Stream-1-2020-08-30-00-53-33-35aeea4c-582a-444b-8afa-848567924094 </li></ul> |
42+
| CloudTrail Digest\*\*\* | {org-id}/AWSLogs/{org-id}/{account#}/CloudTrail-Digest/{region}/{year}/{month}/{day}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/o-fxozgwu6rc/AWSLogs/o-fxozgwu6rc/123456789016/CloudTrail-Digest/ca-central-1/2020/08/30/123456789016_CloudTrail-Digest_ca-central-1_PBMMAccel-Org-Trail_ca-central-1_20200830T190938Z.json.gz </li></ul> |
43+
| CloudTrail Insights\*\* | {org-id}/AWSLogs/{org-id}/{account#}/CloudTrail-Insights/{region}/{year}/{month}/{day}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/o-fxozgwu6rc/AWSLogs/o-fxozgwu6rc/123456789015/CloudTrail-Insight/ca-central-1/2020/09/23/123456789015_CloudTrail-Insight_ca-central-1_20200923T0516Z_KL5e9VCV2SS7IqzB.json.gz </li></ul> |
44+
| CloudTrail\*\*\* | {org-id}/AWSLogs/{org-id}/{account#}/CloudTrail/{region}/{year}/{month}/{day}/\* | <ul><li> s3://pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo/o-fxozgwu6rc/AWSLogs/o-fxozgwu6rc/123456789016/CloudTrail/ca-central-1/2020/08/30/123456789016_CloudTrail_ca-central-1_20200830T0115Z_3YQJxwt5qUaOzMtL.json.gz </li></ul> |
45+
| CT S3 Access Logs | {no folders} | <ul><li> s3://aws-controltower-s3-access-logs-123456789012-ca-central-1/2021-04-26-18-11-21-8647E1080048E5CB </li></ul> |
46+
| SSM Inventory | ssm-inventory/{ssm-inventory-type}/accountid={account#}/region={region}/resourcetype={rt}/\* | <ul><li> s3://asea-logarchive-phase0-cacentral1-1tr23emhncdzo/ssm-inventory/AWS:Application/accountid=123456789012/region=ca-central-1/resourcetype=ManagedInstanceInventory/i-001188b4e152aecaf.json |
4647

4748
---
4849

4950
### Notes:
5051

5152
\* Located in Control Tower bucket when installed, Control Tower adds the {org-id} (i.e. o-h9ho05hcxl/) as the top level folder
53+
5254
\*\* Only available in Accelerator Standalone deployments
55+
5356
\*\*\* CloudTrail control plane logs located in Control Tower bucket when installed, Control Tower drops the {org-id} (i.e. o-h9ho05hcxl/) from the middle of the folder path. This may change when Control Tower migrates to Organization Trails. CloudTrail data plane logs remain in the Accelerator bucket.
5457

58+
\*\*\*\* v1.5.1 introduces the capability to split CloudWatch log groups starting with specific prefixes out into customer named subfolders. The folder/file structure is otherwise identical. The v1.5.1 example config files separate out MAD, RQL, Security Hub, NFW, rsyslog, and SSM logs by default. Example: Security Hub logs will be in the following structure: `CloudWatchLogs/security-hub/{year}/{month}/{day}/{hour}/`
59+
5560
- Account number is sometimes duplicated in path because logs replicated from another account always need to start with the source account number
5661
- Macie reports will only appear in the {account#} for the central security account, and only if a customer schedules PII discovery reports
5762
- All CloudWatch Logs from all accounts are mixed in the same folder, the embedded log format contains the source account information as documented here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/ValidateLogEventFlow.html

0 commit comments

Comments
 (0)