AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Log files Should Be Delivered Without Any Failures
More Info:
The log files generated by your AWS CloudTrail trails should be delivered without any failures to designated recipients in order to keep CloudTrail logging data for security and compliance audits.
Risk Level
Low
Address
Reliability, Operational Maturity, Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Log files should be delivered without any failures” for AWS using AWS console, follow the below steps:
-
Open the AWS Management Console and navigate to the CloudWatch service.
-
Click on “Logs” in the left-hand menu and select the log group that is experiencing the delivery failure.
-
Click on the “Actions” drop-down menu and select “Stream to Amazon Elasticsearch Service”.
-
In the “Stream to Amazon Elasticsearch Service” dialog box, select the Elasticsearch domain that you want to stream the log data to.
-
Choose the appropriate IAM role that has permission to stream the log data to the Elasticsearch domain.
-
Configure the log stream settings as required and click on “Start Streaming”.
-
Once the log stream is successfully started, CloudWatch will begin delivering log data to the Elasticsearch domain without any failures.
-
You can monitor the log stream status and troubleshoot any issues using the CloudWatch Logs console.
By following these steps, you can remediate the misconfiguration “Log files should be delivered without any failures” for AWS using AWS console.
To remediate the misconfiguration “Log files Should Be Delivered Without Any Failures” in AWS, you can follow the below steps using AWS CLI:
-
Open the AWS CLI on your local machine or terminal.
-
Run the following command to create a new S3 bucket to store the logs:
aws s3api create-bucket --bucket <bucket-name> --region <region> --create-bucket-configuration LocationConstraint=<region>Replace
<bucket-name>with your desired bucket name and<region>with the region in which you want to create the bucket. -
Run the following command to enable access logging for your S3 bucket:
aws s3api put-bucket-acl --bucket <bucket-name> --grant-read uri=http://acs.amazonaws.com/groups/s3/LogDelivery --grant-write uri=http://acs.amazonaws.com/groups/s3/LogDelivery --grant-read-acp uri=http://acs.amazonaws.com/groups/s3/LogDelivery --grant-write-acp uri=http://acs.amazonaws.com/groups/s3/LogDelivery --grant-full-control uri=http://acs.amazonaws.com/groups/s3/LogDeliveryReplace
<bucket-name>with the name of the bucket you created in step 2. -
Run the following command to create a new CloudWatch Logs group:
aws logs create-log-group --log-group-name <log-group-name>Replace
<log-group-name>with your desired name for the log group. -
Run the following command to create a new CloudWatch Logs stream:
aws logs create-log-stream --log-group-name <log-group-name> --log-stream-name <log-stream-name>Replace
<log-group-name>with the name of the log group you created in step 4 and<log-stream-name>with your desired name for the log stream. -
Run the following command to create a new CloudWatch Logs subscription filter:
aws logs put-subscription-filter --log-group-name <log-group-name> --filter-name <filter-name> --filter-pattern "" --destination-arn arn:aws:s3:::<bucket-name>Replace
<log-group-name>with the name of the log group you created in step 4,<filter-name>with your desired name for the filter, and<bucket-name>with the name of the S3 bucket you created in step 2. -
Verify that the logs are being delivered to the S3 bucket by checking the contents of the bucket. You should see log files being created and updated in real-time.
By following these steps, you can remediate the misconfiguration “Log files Should Be Delivered Without Any Failures” in AWS using AWS CLI.
To remediate the misconfiguration “Log files Should Be Delivered Without Any Failures” for AWS using Python, you can follow these steps:
Step 1: Create an S3 bucket to store the log files.
import boto3
s3 = boto3.client('s3')
bucket_name = 'your-bucket-name'
s3.create_bucket(Bucket=bucket_name)
Step 2: Create an IAM role with permissions to write to the S3 bucket.
import boto3
iam = boto3.client('iam')
role_name = 'your-role-name'
assume_role_policy_document = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
response = iam.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=json.dumps(assume_role_policy_document)
)
policy_document = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::your-bucket-name/*"
]
}
]
}
iam.put_role_policy(
RoleName=role_name,
PolicyName='your-policy-name',
PolicyDocument=json.dumps(policy_document)
)
Step 3: Create a CloudWatch Logs subscription filter to deliver the log files to the S3 bucket.
import boto3
logs = boto3.client('logs')
log_group_name = 'your-log-group-name'
filter_name = 'your-filter-name'
destination_arn = 'arn:aws:s3:::your-bucket-name'
response = logs.put_subscription_filter(
logGroupName=log_group_name,
filterName=filter_name,
filterPattern='',
destinationArn=destination_arn,
roleArn='arn:aws:iam::your-account-id:role/your-role-name'
)
Note: Replace the placeholders (your-bucket-name, your-role-name, your-policy-name, your-log-group-name, your-filter-name, and your-account-id) with your own values.
These steps will remediate the misconfiguration “Log files Should Be Delivered Without Any Failures” for AWS using Python.