...
Log index | Instruction |
---|---|
alb, elb | Ensure that that logging for ALB/ELB is on and logs are being stored in S3 Bucket. Grant Cloudaware with access to this bucket ( |
aws-config | Enable AWS Config as described in AWS Documentation Ensure that Cloudaware has been granted with the permission |
cloudfront | Enable logging as described in this external guide Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket ( |
cloudtrail | Ensure CloudTrail is enabled and the CloudTrail data is accessible (the bucket should be present to Cloudaware) |
eks-logs | Ensure Amazon EKS is enabled as described in AWS Documentation Ensure that Cloudaware has been granted with permissions |
aws-rds | Cloudaware tracks RDS logs in both CloudWatch and events from DB instance. Ensure that Cloudaware has the following permissions*:
*These permissions are predefined in Cloudaware Conflux Collector policy. |
lambda | Ensure that Cloudaware has been granted with permissions |
route53 | Ensure that logging for DNS Queries is enabled as described in AWS Documentation |
s3-access-logs* | Ensure that logging for S3 is enabled as described in AWS Documentation |
vpc-flow-logs | Ensure VPC, VPC subnet or Elastic Network Interface traffic is logged to CloudWatch Logs as described in AWS Documentation |
waf-logs | Ensure that WAF logs are being stored in S3 Bucket or in CloudWatch Logs. Grant Cloudaware with access to this bucket ( |
* If the S3 bucket is encrypted, please grant Cloudaware decrypt permissions. You can create a custom policy for the existing Cloudaware role or on the AWS account level, where the S3 log bucket with logs is storedlocated. Below is an the example of a bucket policy that grants read access to encryption keyscustom policy granting decrypt permissions, in addition to the necessary list*
and get*
permissions:
Code Block |
---|
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:<REGION>:<BUCKET_ID>:key/<KEY_PLACEHOLDER>", "Effect": "Allow", "Sid": "AllowAccessToKMSCloudtrailBucket" }, { "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>", "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>" ], "Effect": "Allow", "Sid": "AllowAccessToLogsBucket" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>/*", "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>/*" ], "Effect": "Allow" } ] } |
...
Log Index | Instruction |
---|---|
azure-activity | Ensure that the Reader role has been assigned to Cloudaware based on Cloudaware Azure Start Guide |
azure-flowlogs | Ensure that a custom role has been created for Cloudaware to have 'read' access to Storage Account keys ( |
...
Log index | Instruction |
---|---|
log-okta-system- | Provide Cloudaware support with your Okta URL and token (you can generate a token using Okta documentation here) |
OneLogin
Log index | Instruction | ||
---|---|---|---|
log-onelogin- | Contact Cloudaware to request the Listener URL and a token required to create a webhook in OneLogin. Use the provided parameters in the field 'Custom headers' in OneLogin UI (Developers → Webhooks). Specify the format as JSON Array when creating the webhook. Here is an example:
|