This guide provides a step-by-step approach to establishing and protecting centralized logging for AWS Organizations. By following this recipe, you will ensure auditability, compliance, and security across your AWS environment. The guide also covers common pitfalls and troubleshooting tips to help you avoid potential issues.

Objective

Establish and protect centralized logging for AWS Organizations to ensure auditability, compliance, and security.

Difficulty Level

Intermediate

Estimated Time

• Initial setup: 2-4 hours
• Full implementation and optimization: 1-2 weeks

Note: The time can vary depending on the size and complexity of your organization, as well as your familiarity with AWS services.

Ingredients

• AWS Organizations
• AWS CloudTrail
• AWS Config
• AWS Identity and Access Management (IAM)
• AWS Service Control Policies (SCPs)
• Amazon S3 (for log storage)
• AWS CloudFormation (optional for automation)

Steps

Step 1: Create a Central Logging Account

1.1 Set Up a Dedicated Account

• Create a new AWS account specifically for centralized logging (e.g., "Log Archive Account").

Step 2: Configure Centralized Logging

2.1 Set Up S3 Buckets

• In the Log Archive Account, create S3 buckets to store CloudTrail logs and AWS Config data.
• Enable versioning and MFA Delete on these buckets for additional protection.

2.2 Enable AWS CloudTrail

• In each member account, create a CloudTrail that delivers logs to the centralized S3 bucket in the Log Archive Account.

codeaws cloudtrail create-trail --name <trail-name> --s3-bucket-name <log-archive-bucket> --is-multi-region-trail
aws cloudtrail start-logging --name <trail-name>

2.3 Enable AWS Config

• Enable AWS Config in each member account and configure it to send configuration snapshots and compliance data to the centralized S3 bucket.

codeaws configservice put-configuration-recorder --configuration-recorder name=<recorder-name>,roleARN=<IAM-role-ARN>
aws configservice put-delivery-channel --delivery-channel name=<channel-name>,s3BucketName=<log-archive-bucket>
aws configservice start-configuration-recorder --configuration-recorder-name <recorder-name>

Step 3: Protect Logging Resources with IAM Policies and SCPs

3.1 IAM Policies

• Apply IAM policies in the Log Archive Account to restrict deletion actions on the S3 buckets.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteBucket"
      ],
      "Resource": [
        "arn:aws:s3:::",
        "arn:aws:s3:::/*"
      ]
    }
  ]
}

3.2 Enable MFA Delete

• Enable MFA Delete on the S3 buckets in the Log Archive Account to add an extra layer of protection.

aws s3api put-bucket-versioning --bucket <log-archive-bucket> --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::<account-id>:mfa/<mfa-device> <mfa-code>"

3.3 Service Control Policies (SCPs)

• Apply SCPs to organizational units to enforce restrictions across all accounts.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "s3:DeleteBucket",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::",
        "arn:aws:s3:::/*"
      ]
    },
    {
      "Effect": "Deny",
      "Action": [
        "cloudtrail:DeleteTrail",
        "cloudtrail:StopLogging"
      ],
      "Resource": "arn:aws:cloudtrail:*::trail/"
    }
  ]
}

Step 4: Continuous Monitoring and Auditing

4.1 Enable AWS Config Rules

• Use AWS Config rules to continuously monitor the configuration of your AWS resources and ensure compliance with your policies.

4.2 Set Up AWS Security Hub

• Enable AWS Security Hub for a comprehensive view of your security posture across all accounts.

Step 5: Continuous Improvement

5.1 Regular Audits

• Conduct regular audits of your centralized logging setup to ensure it is functioning correctly and that logs are protected.

5.2 Adjust Policies as Needed

• Continuously refine IAM policies and SCPs based on changing security requirements and AWS updates.

Key Pitfalls to Avoid in Centralized Logging

1. Lack of Centralized Logging Setup

Avoidance: Ensure centralized logging is set up from the beginning to capture logs across all accounts. Use a dedicated Log Archive account to store logs.

2. Insufficient Protection of Log Data

Avoidance: Protect log data by enabling S3 bucket versioning and MFA Delete. Apply IAM policies and SCPs to prevent unauthorized deletion of logs.

3. Incomplete Log Collection

Avoidance: Configure AWS CloudTrail and AWS Config in every account to ensure all actions and configurations are logged. Verify that logs are consistently sent to the centralized S3 bucket.

4. Overlooking Multi-Region Log Collection

Avoidance: Set up multi-region CloudTrail trails to ensure log collection from all AWS regions, not just the default region.

5. Not Using SCPs Effectively

Avoidance: Apply SCPs to enforce log delivery and prevent the deletion of log-related resources. Regularly review and update SCPs to adapt to new security requirements.

6. Neglecting Continuous Monitoring

Avoidance: Use AWS Config rules and AWS Security Hub to continuously monitor compliance and security posture. Ensure that all accounts adhere to logging policies.

7. Failure to Regularly Audit Logs

Avoidance: Conduct regular audits to ensure that log data is intact, complete, and accessible. Review log settings and access permissions periodically.

8. Poor Incident Response Plan

Avoidance: Develop and implement an incident response plan that includes steps for investigating and responding to security incidents using centralized logs.

Troubleshooting

Common Issues and Solutions

1. Issue: Logs not appearing in the centralized S3 bucket

   • Solution:
     • Verify that CloudTrail and AWS Config are properly configured to send logs to the correct S3 bucket.
     • Check IAM permissions to ensure logging services have write access to the S3 bucket.
     • Ensure that there are no network issues preventing log delivery.

2. Issue: Unauthorized deletion of logs

   • Solution:
     • Ensure that IAM policies and SCPs are correctly applied to prevent log deletion.
     • Enable MFA Delete on the S3 buckets storing logs.

3. Issue: Inconsistent logging across regions

   • Solution:
     • Configure multi-region trails in CloudTrail to ensure logs are collected from all AWS regions.
     • Verify that AWS Config is enabled in all regions where resources are deployed.

4. Issue: Logs not being retained as expected

   • Solution:
     • Check the lifecycle policies on the S3 bucket to ensure logs are retained for the required period.
     • Ensure versioning is enabled on the S3 bucket to prevent accidental deletion.

Debugging Tips

1. Use AWS CloudTrail to audit API calls and identify any permission issues or unexpected actions.
2. Leverage AWS Config to assess the compliance of your resources against your defined rules and policies.
3. Utilize the AWS Organizations CLI for troubleshooting. Commands like list-policies and list-targets-for-policy can provide valuable insights.
4. When troubleshooting SCPs, remember to check policies at all levels of the OU hierarchy, as they are inherited and combined.
5. For logging issues, review the CloudTrail and AWS Config logs for errors or misconfigurations.

Conclusion

Setting up centralized logging in AWS Organizations is essential for maintaining auditability, compliance, and security across your AWS environment. By following this recipe and avoiding common pitfalls, you can ensure a robust and secure logging infrastructure that meets your organization's needs. Regular reviews and adjustments will keep your logging setup effective and up-to-date with evolving requirements.

More Resources

AWS Organizations Documentation

AWS CloudTrail

AWS Config

AWS Security Hub

AWS S3

AWS IAM Best Practices