How do I know if Alert Logic can read CloudTrail logs?
We have a management account which contains an S3 bucket of which other customer AWS accounts store their logs in. That is, all customer accounts have CloudTrail enabled, where the destination S3 bucket for log storage is in a separate management AWS account. A KMS key is also used by these customer accounts to encrypt the logs, the KMS key is owned by the management account (the KMS key permits the customers accounts' cloudtrail service to use it).
When we deploy AWS accounts in Alert Logic, we can provide 1 or 2 IAM role ARNs.
We were advised (in a ticket) to provide the 1st IAM role ARN in each customer account's deployment, and switch-on 'CloudTrail Centralized Logging' feature, and for this we provided the 2nd IAM role ARN. The 2nd IAM role was created in the management account, and it has been granted KMS decrypt permissions for the KMS key via the key policy.
Using the AL console, we've deployed each account, providing each account's 1st IAM role, and also the 2nd IAM role (belonging in Management). The vulnerability scanning feature works, but we are wondering and Alert Logic was able to discover all AWS services in the customer environments, but we are trying to figure out the following:
1. How do we know Alert Logic is accessing CloudTrail logs? How do we know it is successfully decrypting them? There is no indication in the Alert Logic console that it is successfully reading customer cloudtrail logs from the management account S3 bucket.
2. The documentation says that Alert Logic will create SQS queues, SNS topics, and also configure the cloudtrail of each customer account to use SNS (if not already configured). None of this has been done... the customer accounts cloudtrail service are not using SNS, and no SQS queues have been created anywhere.
Thanks for your post. Here are the answers to your questions.
- How do we know if Alert Logic is accessing CloudTrail logs? Currently, Cloud Insight Essentials (CIE) doesn't have a feature that shows customers if the service is able/not able to access your CloudTrail logs. However, we are looking at adding this functionality later. Essentially, CIE would raise a remediation in the event the service is not able to access CloudTrail logs and provide steps on how to resolve/troubleshoot the issue. We'll add you as a "+1" to this feature request, or if you have another idea let us know.
- Why don't I see a SQS queue and SNS topic for CIE? If properly configured, you should see a SQS queue and SNS topic in your AWS Management console for CIE. Based on your first question, my hunch is that CIE can't access your CloudTrail logs. I've gone ahead and opened up a support case for your question. You should hear from our support team shortly but ping us again if you have any questions.
Hi Andrew -
We're working on getting you a quality answer to your question and will get back to you very soon.0
Hey, I haven't heard anything from the support team regarding the SQS queue and SNS topic issue. Any chance anyone in the support team can contact me at some point?
I'm very sorry about this. I will track someone down this morning and make sure they get in touch with you and help you get your questions resolved.0
Quick update to let you know that our Support and Engineering teams are currently investigating this and will get with you via Support ticket as soon as possible!0
Please sign in to leave a comment.