We have a management account which contains an S3 bucket of which other customer AWS accounts store their logs in. That is, all customer accounts have CloudTrail enabled, where the destination S3 bucket for log storage is in a separate management AWS account. A KMS key is also used by these customer accounts to encrypt the logs, the KMS key is owned by the management account (the KMS key permits the customers accounts' cloudtrail service to use it).
When we deploy AWS accounts in Alert Logic, we can provide 1 or 2 IAM role ARNs.
We were advised (in a ticket) to provide the 1st IAM role ARN in each customer account's deployment, and switch-on 'CloudTrail Centralized Logging' feature, and for this we provided the 2nd IAM role ARN. The 2nd IAM role was created in the management account, and it has been granted KMS decrypt permissions for the KMS key via the key policy.
Using the AL console, we've deployed each account, providing each account's 1st IAM role, and also the 2nd IAM role (belonging in Management). The vulnerability scanning feature works, but we are wondering and Alert Logic was able to discover all AWS services in the customer environments, but we are trying to figure out the following:
1. How do we know Alert Logic is accessing CloudTrail logs? How do we know it is successfully decrypting them? There is no indication in the Alert Logic console that it is successfully reading customer cloudtrail logs from the management account S3 bucket.
2. The documentation says that Alert Logic will create SQS queues, SNS topics, and also configure the cloudtrail of each customer account to use SNS (if not already configured). None of this has been done... the customer accounts cloudtrail service are not using SNS, and no SQS queues have been created anywhere.
Please sign in to leave a comment.