To deploy this solution across multiple accounts and Regions, we will use AWS CloudFormation StackSets. "s3:x-amz-acl": "bucket-owner-full-control" Please refer to creating S3 Bucket if this is your first time creating an S3 bucket. You must have an S3 bucket in the centralized logging account with the following bucket policy to allow VPC flow logs to be delivered to the S3 bucket.You must have AWS Control Tower setup with an AWS account for centralized logging.Here are the prerequisites before you deploy this solution: Note: There is another approach to achieving a similar use case by using AmazonEventBridge and AWS Lambda for orchestration, which is explained in this blog. VPC Flow log is configured with “LogDestinationType” as an Amazon S3 bucket (this is configurable and can be changed to CloudWatch if required), along with a “Traffic type”.The VPC flow log will be enabled on the VPC using permission defined in the IAM role. The RESOURCE_ID (VPC id) is passed to the SSM automation document as a parameter.The SSM automation document, AWS-EnableVPCFlowLogs, is executed when the resource becomes “non-compliant”. AWS Config rule VPC_FLOW_fLOGS_ENABLED evaluates all VPCs in a given region for flow log enabled status, and it flags the ones missing with flow log as “non-compliant” resource.
An IAM role executes the automation on behalf of the SSM Automation document.
#Logs on aws archive
Once the VPC flow logs are enabled, the logs will be stored in a centralized S3 bucket in the log archive account. When a VPC is created without enabling VPC flow logs configuration in any account, this solution will identify and mark the non-compliant VPC in AWS Config, and automatically initiate the remediation task to enable the VPC flow logs. See AWS documentation for VPC Flow logs pricing for more information and examples. Please note that data ingestion and archival charges for vended logs apply when you publish flow logs to CloudWatch Logs or to Amazon S3. This solution can be used with individual AWS accounts by deploying this as a CloudFormation stack. Additionally, you could leverage this solution to enable VPC Flow logs on the existing AWS accounts by manually running the CloudFormation StackSets on the selected AWS accounts. This setup is deployed in new AWS Accounts with the help of AWS Control Tower life cycle events and AWS CloudFormation stack. An AWS Systems Manager automation document is used to perform the remediation task. The benefit of using AWS Config in this solution is to provide the ability to configure resource evaluation rules to validate configuration of the resource and trigger an automated process to remediate the configuration. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. In this solution we will be using AWS Config to evaluate the configurations of VPC Flow logs and resolve it if they are missing. The log archive account works as a repository for logs from all accounts in your organization. AWS Control Tower will help enforce governance for centralizing Amazon VPC Flow Logs in an Amazon Simple Storage Service (S3) bucket in the log archive account for monitoring, troubleshooting, anomaly detection, and archival purposes at scale in a AWS multi-account environment. You can deploy this solution with the help of AWS Control Tower. Customers use Amazon VPC Flow logs to capture information about the IP traffic going to and from network interfaces in an Amazon VPC. This post discusses an automated process for enabling Amazon Virtual Private Cloud (Amazon VPC) Flow Logs using AWS Config rule remediation.
0 kommentar(er)
