Log management — AWS CloudTrail Log management — Amazon EC2 Log management — Amazon VPC Flow Logs

Log management in AMS Accelerate

AMS Accelerate configures supported AWS services to collect logs. These logs are used by AMS Accelerate to ensure compliance and auditing of resources within your account.

AMS Accelerate provides a range of operational services to help you achieve operational excellence on AWS. To gain a quick understanding of how AMS helps your teams achieve overall operational excellence in AWS Cloud with some of our key operational capabilities including 24x7 helpdesk, proactive monitoring, security, patching, logging and backup, see AMS Reference Architecture Diagrams.

Log management — AWS CloudTrail

AWS CloudTrail is a service that is used for account governance: compliance, operational auditing, and risk auditing. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

AMS Accelerate relies on AWS CloudTrail logging in order to manage audits and compliance for all the resources created in the account. During onboarding, AMS Accelerate deploys a global CloudTrail trail in your primary AWS Region, which sends logs to Amazon S3.

The Amazon S3 bucket created for this trail uses the AWS Key Management Service (AWS KMS) encryption, and is accessed by the AMS Accelerate operations team for investigation and diagnosis purposes. If the account already has an existing CloudTrail trail enabled, this trail is in addition to that.

Also, AMS Accelerate deploys AWS Config rules to ensure that the CloudTrail is set up and encrypted in the state you want. To learn more, see AWS Config. These are the rules used, presented as links to the AWS documentation describing them:

multi-region-cloudtrail-enabled. Checks that AMS Accelerate CloudTrail is properly set up with the correct configurations.
cloud-trail-encryption-enabled. Checks that AWS CloudTrail is configured to use the server-side encryption (SSE) with AWS KMS customer master key (CMK) encryption.
cloud-trail-log-file-validation-enabled. When enabled, checks that AWS CloudTrail creates a signed digest file with logs. We strongly recommend that you enable file validation on all trails.
s3-bucket-default-lock-enabled. When enabled, checks that the Amazon S3 bucket has lock enabled.
s3-bucket-logging-enabled. When enabled, checks whether logging is enabled for Amazon S3 buckets.

AMS Accelerate also relies on AWS KMS to encrypt the logged events. This key is controlled by, and is accessible to, the account administrators, AMS Accelerate operators, and CloudTrail. For more information about AWS KMS, see AWS Key Management Service features product documentation.

Accessing and auditing CloudTrail logs

CloudTrail logs are stored in an Amazon S3 bucket within your account. All the events are encrypted using the AWS KMS key created at the same time as the CloudTrail resources.

Amazon S3 buckets leverage a naming pattern of ams-aaws account id-cloudtrail-AWS Region, (example: ams-a123456789-cloudtrail-us-east-1a) and all the events are stored with the AWS/CloudTrail prefix. All access to the primary bucket is logged and the log objects are encrypted and versioned for auditing purposes.

For more information about tracking changes and querying the logs, see Tracking changes in your AMS Accelerate accounts.

Protecting and retaining CloudTrail logs

During account onboarding, AMS Accelerate enables Amazon S3 object locking with Governance Mode to ensure that users can't overwrite or delete an object version or alter its lock settings without special permissions. For more information, see Amazon S3 object locking.

By default, all logs in this bucket are kept indefinitely. If you want to change the retention period, you can submit a service request through the AWS Support Center to set up a different retention policy.

Accessing Amazon EC2 logs

You can access Amazon EC2 instance logs by using the AWS Management Console. Logs produced by instances and AWS services are available in CloudWatch Logs, which is available in each account managed by AMS Accelerate. For information about accessing your logs, see the CloudWatch Logs documentation.

Retaining Amazon EC2 logs

Amazon EC2 instance logs are kept indefinitely, by default. If you want to change the retention period, you can submit a service request through the AWS Support Center to set up a different retention policy.

Log management — Amazon EC2

AMS Accelerate installs the CloudWatch agent on all Amazon EC2 instances that you have identified as AMS Accelerate-managed. This agent sends system-level logs to Amazon CloudWatch Logs. For information, see What are Amazon CloudWatch Logs?

The following log files are sent to CloudWatch Logs, into a log group of the same name as the log. Within each log group, a log stream is created for each Amazon EC2 instance, named according to the Amazon EC2 instance ID.

Linux

/var/log/amazon/ssm/amazon-ssm-agent.log
/var/log/amazon/ssm/errors.log
/var/log/audit/audit.log
/var/log/cloud-init-output.log
/var/log/cloud-init.log
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
/var/log/yum.log
/var/log/zypper.log

For more information, see Manually Create or Edit the CloudWatch Agent Configuration File.

Windows

C:\\ProgramData\\Amazon\\SSM\\Logs\\amazon-ssm-agent.log
C:\\ProgramData\\Amazon\\SSM\\Logs\\amazon-cloudwatch-agent.log
C:\\ProgramData\\Amazon\\SSM\\Logs\\errors.log
C:\\cfn\\log\\cfn-init.log

For more information, see Quick Start: Enable Your Amazon EC2 Instances Running Windows Server 2016 to Send Logs to CloudWatch Logs Using the CloudWatch Logs Agent.

Log management — Amazon VPC Flow Logs

VPC Flow Logs is a feature that captures information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch logs or Amazon S3. Flow log data collection does not affect network throughput or latency. You can create or delete flow logs without any impact to network performance.

Flow logs can help you with a number of tasks, such as:

Diagnosing overly restrictive Security Group rules
Monitoring traffic that reaches your instance
Determining the direction of the traffic to and from the network interfaces

You do not have to enable VPC flow logs for each newly created VPC in Accelerate accounts. AMS will automatically detect whether a VPC has a flow log using the ams-nist-cis-vpc-flow-logs-enabled Config rule. If VPC flow logs are not enabled, AMS will automatically remediate it by creating a VPC flow log with custom fields. Having these additional fields will enable AMS and customers to better monitor VPC traffic, understand network dependencies, troubleshoot network connectivity issues, and identify network threats.

For information on viewing and searching flow logs, see Work with flow logs.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Alarm suppressor

Tracking changes