AWS
Log index | Instruction |
---|---|
alb, elb | Ensure that that logging for ALB/ELB is on and logs are being stored in S3 Bucket. Grant Cloudaware with access to this bucket ( |
aws-config | Enable AWS Config as described in AWS Documentation Ensure that Cloudaware has been granted with the permission |
cloudfront | Enable logging as described in this external guide Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket ( |
cloudtrail | Ensure CloudTrail is enabled and the CloudTrail data is accessible (the bucket should be present to Cloudaware) |
eks-logs | Ensure Amazon EKS is enabled as described in AWS Documentation Ensure that Cloudaware has been granted with permissions |
aws-rds | Cloudaware tracks RDS logs in both CloudWatch and events from DB instance. Ensure that Cloudaware has the following permissions*:
*These permissions are predefined in Cloudaware Conflux Collector policy. |
route53 | Ensure that logging for DNS Queries is enabled as described in AWS Documentation |
s3-access-logs* | Ensure that logging for S3 is enabled as described in AWS Documentation |
vpc-flow-logs | Ensure VPC, VPC subnet or Elastic Network Interface traffic is logged to CloudWatch Logs as described in AWS Documentation |
waf-logs | Ensure that WAF logs are being stored in S3 Bucket or in CloudWatch Logs. Grant Cloudaware with access to this bucket ( |
* If the S3 bucket is encrypted, please grant Cloudaware decrypt permissions. You can create a custom policy for the existing Cloudaware role or the AWS account where the S3 bucket with logs is stored. Below is an example of a bucket policy that grants read access to encryption keys, in addition to list*
and get*
permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:<REGION>:<BUCKET_ID>:key/<KEY_PLACEHOLDER>", "Effect": "Allow", "Sid": "AllowAccessToKMSCloudtrailBucket" }, { "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>", "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>" ], "Effect": "Allow", "Sid": "AllowAccessToLogsBucket" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>/*", "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>/*" ], "Effect": "Allow" } ] }
WHERE
<KEY_PLACEHOLDER>
should bу replaced by a corresponding encryption key
<BUCKET_ID>
should bу replaced by a corresponding bucket id
<REGION>
should bу replaced by a corresponding bucket region
Azure
Log Index | Instruction |
---|---|
azure-activity | Ensure that the Reader role has been assigned to Cloudaware based on Cloudaware Azure Start Guide |
azure-flowlogs | Ensure that a custom role has been created for Cloudaware to have 'read' access to Storage Account keys ( |
Google Cloud
Log index | Instruction |
---|---|
google-audit- | Ensure that Cloud logging is enabled as described in Google Cloud Documentation |
Host Level
Log index | Instruction |
---|---|
metricbeat | Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, metribeat may generate a significant number of logs |
winlogbeat | Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, winglobeat may generate a significant number of logs |
filebeat | Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, filebeat may generate a significant number of logs |
packetbeat | Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node*. WARNING: once enabled, packetbeat may generate a significant number of logs |
* DNS name and IP address will be provided after Conflux is enabled for you in Cloudaware
Okta
Log index | Instruction |
---|---|
log-okta-system- | Provide Cloudaware support with your Okta URL and token (you can generate a token using Okta documentation here) |