Log Management - Requirements

AWS

Log index	Instruction
alb, elb	Ensure that that logging for ALB/ELB is on and logs are being stored in S3 Bucket. Grant Cloudaware with access to this bucket (`s3:GetObject` and `s3:ListObject` permissions).
aws-config	Enable AWS Config as described in AWS Documentation. Ensure that Cloudaware has been granted with the permission `config:Des*` (or `config:DescribeDeliveryChannels` as minimum).
cloudfront	Enable logging as described in this external guide. Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (`s3:GetObject` and `s3:ListObject` permissions).
cloudtrail	Ensure CloudTrail is enabled and the CloudTrail data is accessible (the bucket should be present to Cloudaware).
eks-logs	Ensure Amazon EKS is enabled as described in AWS Documentation. Ensure that Cloudaware has been granted with permissions `logs:DescribeLogGroups`, `logs:DescribeLogStreams`, `logs:GetLogEvents`.
aws-rds	Cloudaware tracks RDS logs in both CloudWatch and events from DB instance. Ensure that Cloudaware has the following permissions: for logs from CloudWatch: `logs:DescribeLogGroups`, `logs:DescribeLogStreams`, `logs:GetLogEvents` for logs from DB instance: `rds:DescribeDBInstances`, `rds:DescribeDBLogFiles`, `rds:DownloadCompleteDBLogFile`, `rds:DownloadDBLogFilePortion` These permissions are predefined in Cloudaware Conflux Collector policy.
lambda	Ensure that Cloudaware has been granted with permissions `logs:DescribeLogGroups`, `logs:DescribeLogStreams`, `logs:ListTagsForResource` and l`ogs:GetLogEvents`. Cloudaware automatically discovers CloudWatch groups where Lambda logs are stored. If the search didn't bring results, tag the group(s) with `log-source: lambda` tag.
route53	Ensure that logging for DNS Queries is enabled as described in AWS Documentation.
s3-access-logs*	Ensure that logging for S3 is enabled as described in AWS Documentation.
vpc-flow-logs	Ensure VPC, VPC subnet or Elastic Network Interface traffic is logged to CloudWatch Logs as described in AWS Documentation.
waf-logs	Ensure that WAF logs are being stored in S3 Bucket or in CloudWatch Logs. Grant Cloudaware with access to this bucket (`kinesis:DescribeStream` and `kinesis:ListStreams` permissions should be in place, along with `s3:ListBucket` and `s3:GetObject or logs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents` depending on the log destination).

* If the S3 bucket is encrypted, please grant Cloudaware decrypt permissions. You can create a custom policy for the existing Cloudaware role on the account level, where the log bucket is located. Below is the example of a custom policy granting decrypt permissions, in addition to the necessary list* and get* permissions:

CODE

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
   ],
   "Resource": "arn:aws:kms:<REGION>:<BUCKET_ID>:key/<KEY_PLACEHOLDER>",
   "Effect": "Allow",
   "Sid": "AllowAccessToKMSCloudtrailBucket"
  },
  {
   "Action": [
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>"
   ],
   "Effect": "Allow",
   "Sid": "AllowAccessToLogsBucket"
  },
  {
   "Action": [
    "s3:GetObject"
   ],
   "Resource": [
    "arn:aws:s3:::aws-controltower-s3-access-logs-<BUCKET_ID>-<REGION>/*",
    "arn:aws:s3:::aws-controltower-logs-<BUCKET_ID>-<REGION>/*"
   ],
   "Effect": "Allow"
  }
 ]
}

WHERE

<KEY_PLACEHOLDER> should bу replaced by a corresponding encryption key

<BUCKET_ID>should bу replaced by a corresponding bucket id

<REGION> should bу replaced by a corresponding bucket region

Azure

Log Index	Instruction
azure-activity	Ensure that the Reader role has been assigned to Cloudaware based on Azure Start Guide.
azure-flowlogs	Ensure that a custom role has been created for Cloudaware to have 'read' access to Storage Account keys (`Microsoft.Storage/storageAccounts/listKeys/action` permission).

Google Cloud

Log index	Instruction
google-audit-	Ensure that Cloud logging is enabled as described in Google Cloud Documentation.

Host level logs

Log index	Instruction
metricbeat	Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node. WARNING: once enabled, metribeat* may generate a significant number of logs
winlogbeat	Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node. WARNING: once enabled, winglobeat* may generate a significant number of logs
filebeat	Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node. WARNING: once enabled, filebeat* may generate a significant number of logs
packetbeat	Ensure Breeze is installed on a host. Ensure the outbound connection to port 8443 is open on your Conflux node. WARNING: once enabled, packetbeat* may generate a significant number of logs

* DNS name and IP address will be provided after Conflux is enabled for you in Cloudaware

Other logs

Okta

Log index	Instruction
log-okta-system-	Provide the Cloudaware support with Okta URL and a token.

OneLogin

Log index

Instruction

log-onelogin-

Contact Cloudaware to request a Listener URL and a token required to create a webhook in OneLogin. Use the provided parameters in the field 'Custom headers' in OneLogin UI (Developers → Webhooks). Specify the format as JSON Array when creating the webhook. Here is an example:

CODE

Listener URL: https://COMPANYNAME-conflux.cloudaware.com:XXXX
Custom Headers:
    conflux: Xxx1xxxx0xxxxxXXxX
Format:  JSON Array

GitLab Audit

Log index

Instruction

log-gitlab-

stream: Contact Cloudaware to request a Destination URL for event stream creation in GitLab account. Learn more

AWS S3 bucket: Ensure that logs are being stored in S3 bucket. Grant Cloudaware with access to this bucket (s3:GetObject and s3:ListObject permissions). Ensure that the taglog-source => gitlab is used on the bucket.