How to enable security logs in an AWS account
Report Bug
Request Feature
Table of Contents
This solution walks through the process of enabling logging in a single AWS account.
At the end of the deployment you will have enabled multiple AWS Security Services and have them sending data to a central S3 bucket for further analysis if required.
This project, although following the same principles as for a multi-account logging setup has different configuration due to all elements being in the same account.
While it will give you a good idea where to start with multi-accout logging I will create a separate repo and guide for that later.
###Components built with the solution are:
- Create an encrypted S3 Bucket for log storage - SecurityS3_1.yaml
- Enable AWS Config - Security_1.yaml
- Enable AWS Config - Security_2.yaml
- Enable AWS GuardDuty - Security_3.yaml
- Enable AWS CloudTrail - Security_4.yaml
- Enable AWS Config - Security_5.yaml
- Enable AWS Config - Security_6.yaml
To keep things simple this solution is based on 2 CloudFormation templates to deploy all components. As such these can be uploaded directly into the AWS console so no need to have any fancy deployment tools.
- An AWS Account
- An IAM User with rights to deploy cloudformation and create resources.
- A copy of the code.
If you don't already have an AWS account you can sign up here.
Don't forget to secure your new account!!
If you don't know how take a look at my post on setting up your AWS account
If you didn't follow my post and are logging in with root go and create an IAM user.
Details on how are in the AWS IAM UserGuide
The simplest way to get the code is to download the zip file and extract it using your pc's built in zip program to a location you can easily get to.
If your more advance clone the repo:
Clone the repo
git clone https://github.com/myawsrocks/SecurityLogging.gitFirstly we need to deploy the log storage bucket.
To deploy bucket with all configuration, create a new stack with the Security_S3.yaml file.
You can chose to enter a custom retention parameter but the solution will build with the default of 1 year/365 days.
If you are following along with my blog and/or want to build components step by step first create a new stack with the Security_S3_1.yaml file.
Again you can chose to enter custom retention parameters but the solution will build with defaults.
Use the "Update Stack" option and upload the next file (Security_S3_2.yaml then Security_S3_3.yaml etc) to go through and build the components.
Secondly we need to deploy the security services.
To deploy all configuration, create a new stack with the Security.yaml file.
If you are following along with my blog and/or want to build components step by step first create a new stack with the Security_1.yaml file.
Use the "Update Stack" option and upload the next file (Security_2.yaml then Security_3.yaml etc) to go through and build the components.
-
- [ ]
See the open issues for a full list of proposed features (and known issues).
Contributions are what make the open source community such an amazing place to learn, inspire, and create.
Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Distributed under the GPL3 License. See license file for more information.