Versions Compared

Old Version 40

changes.mady.by.user Daria Lebedeva

Saved on

compared with

New Version 41

changes.mady.by.user Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Log index

Instruction

alb, elb

Ensure that that logging for ALB/ELB is on and logs are being stored in S3 Bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions)

aws-config

Enable AWS Config as described in AWS Documentation

Ensure that Cloudaware has been granted with the permission config:Des* (or config:DescribeDeliveryChannels as minimum)

cloudfront

Enable logging as described in this external guide

Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions)

cloudtrail

Ensure CloudTrail is enabled and the CloudTrail data is accessible (the bucket should be present to Cloudaware)

eks-logs

Ensure Amazon EKS is enabled as described in AWS Documentation

Ensure that Cloudaware has been granted with permissions logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents

aws-rds

Cloudaware tracks RDS logs in both CloudWatch and events from DB instance. Ensure that Cloudaware has the following permissions*:

  • for logs from CloudWatch: logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents

  • for logs from DB instance: rds:DescribeDBInstances, rds:DescribeDBLogFiles, rds:DownloadCompleteDBLogFile, rds:DownloadDBLogFilePortion

*These permissions are predefined in Cloudaware Conflux Collector policy.

route53

Ensure that logging for DNS Queries is enabled as described in AWS Documentation

s3-access-logs*

Ensure that logging for S3 is enabled as described in AWS Documentation

vpc-flow-logs

Ensure VPC, VPC subnet or Elastic Network Interface traffic is logged to CloudWatch Logs as described in AWS Documentation

waf-logs

Ensure that WAF logs are being stored in S3 Bucket or in CloudWatch Logs. Grant Cloudaware with access to this bucket (kinesis:DescribeStream and kinesis:ListStreams permissions should be in place, along with s3:ListBucket and s3:GetObject or logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents depending on the log destination)

* If the S3 bucket is encrypted, please grant Cloudaware read access. You can create a custom policy for the existing Cloudaware role or the AWS account where the S3 bucket with logs is stored. Below is an example of a bucket policy that grants read access to encryption keys, in addition to list* and get* permissions:

Code Block
{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
   ],
   "Resource": "arn:aws:kms:<REGION>:<BUCKET_ID>:key/<KEY_PLACEHOLDER>",
   "Effect": "Allow",
   "Sid": "AllowAccessToKMSCloudtrailBucket"
  },
  {
   "Action": [
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>"
   ],
   "Effect": "Allow",
   "Sid": "AllowAccessToLogsBucket"
  },
  {
   "Action": [
    "s3:GetObject"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>/*",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>/*"
   ],
   "Effect": "Allow"
  }
 ]
}

WHERE

<KEY_PLACEHOLDER> should bу replaced by a corresponding encryption key

<BUCKET_ID>should bу replaced by a corresponding bucket id

<REGION> should bу replaced by a corresponding bucket region

Azure

Log Index

Instruction

azure-activity

Ensure that the Reader role has been assigned to Cloudaware based on Cloudaware Azure Start Guide

azure-flowlogs

Ensure that a custom role has been created for Cloudaware to have 'read' access to Storage Account keys (Microsoft.Storage/storageAccounts/listKeys/action permission)

...