Log management in AMS Accelerate - AMS Accelerate Operations Plan

Log management in AMS Accelerate

AMS Accelerate configures supported AWS services to collect logs. These logs are used by AMS Accelerate to ensure compliance and auditing of resources within your account.

Log management — AWS CloudTrail

AWS CloudTrail is a service that is used for account governance: compliance, operational auditing, and risk auditing. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

AMS Accelerate relies on AWS CloudTrail logging in order to manage audits and compliance for all the resources created in the account. During onboarding, AMS Accelerate deploys a global CloudTrail trail in your primary AWS Region, which sends logs to Amazon S3.

The Amazon S3 bucket created for this trail uses the AWS Key Management Service (AWS KMS) encryption, and is accessed by the AMS Accelerate operations team for investigation and diagnosis purposes. If the account already has an existing CloudTrail trail enabled, this trail is in addition to that.

Also, AMS Accelerate deploys AWS Config rules to ensure that the CloudTrail is set up and encrypted in the state you want. To learn more, see AWS Config. These are the rules used, presented as links to the AWS documentation describing them:

AMS Accelerate also relies on AWS KMS to encrypt the logged events. This key is controlled by, and is accessible to, the account administrators, AMS Accelerate operators, and CloudTrail. For more information about AWS KMS, see AWS Key Management Service features product documentation.

Accessing and auditing CloudTrail logs

CloudTrail logs are stored in an Amazon S3 bucket and also in a CloudWatch log group named /aws/ams/cloudtrail, within your account. All the events are encrypted using the AWS KMS key created at the same time as the CloudTrail resources.

Amazon S3 buckets leverage a naming pattern of ams-aaws account id-cloudtrail-AWS Region, (example: ams-a123456789-cloudtrail-us-east-1a) and all the events are stored with the AWS/CloudTrail prefix. All access to the primary bucket is logged and the log objects are encrypted and versioned for auditing purposes.

For more information about tracking changes and querying the logs, see Tracking changes in your AMS Accelerate accounts.

Protecting and retaining CloudTrail logs

During account onboarding, AMS Accelerate enables Amazon S3 object locking with Governance Mode to ensure that users can't overwrite or delete an object version or alter its lock settings without special permissions. For more information, see Amazon S3 object locking.

By default, all logs in this bucket are kept indefinitely. If you want to change the retention period, you can submit a service request through the AWS Support Center to set up a different retention policy.

Accessing Amazon EC2 logs

You can access Amazon EC2 instance logs by using the AWS Management Console. Logs produced by instances and AWS services are available in CloudWatch Logs, which is available in each account managed by AMS Accelerate. For information about accessing your logs, see the CloudWatch Logs documentation.

Retaining Amazon EC2 logs

Amazon EC2 instance logs are kept indefinitely, by default. If you want to change the retention period, you can submit a service request through the AWS Support Center to set up a different retention policy.

Log management — Amazon EC2

AMS Accelerate installs the CloudWatch agent on all Amazon EC2 instances that you have identified as AMS Accelerate-managed. This agent sends system-level logs to Amazon CloudWatch Logs. For information, see What are Amazon CloudWatch Logs?

The following log files are sent to CloudWatch Logs, into a log group of the same name as the log. Within each log group, a log stream is created for each Amazon EC2 instance, named according to the Amazon EC2 instance ID.

Linux

  • /var/log/amazon/ssm/amazon-ssm-agent.log

  • /var/log/amazon/ssm/errors.log

  • /var/log/audit/audit.log

  • /var/log/cloud-init-output.log

  • /var/log/cloud-init.log

  • /var/log/cron

  • /var/log/maillog

  • /var/log/messages

  • /var/log/secure

  • /var/log/spooler

  • /var/log/yum.log

  • /var/log/zypper.log

For more information, see Manually Create or Edit the CloudWatch Agent Configuration File.

Windows

  • C:\\ProgramData\\Amazon\\SSM\\Logs\\amazon-ssm-agent.log

  • C:\\ProgramData\\Amazon\\SSM\\Logs\\amazon-cloudwatch-agent.log

  • C:\\ProgramData\\Amazon\\SSM\\Logs\\errors.log

  • C:\\cfn\\log\\cfn-init.log

For more information, see Quick Start: Enable Your Amazon EC2 Instances Running Windows Server 2016 to Send Logs to CloudWatch Logs Using the CloudWatch Logs Agent.