Centralized Logging on AWS
Centralized Logging on AWS

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. For more information about security on AWS, visit the AWS Security Center.

Amazon Cognito

Amazon Elasticsearch Service (Amazon ES) uses Amazon Cognito to offer user name and password protection for Kibana. This authentication feature is optional and available only for domains using Elasticsearch 5.1 or later. If you don't configure Amazon Cognito authentication, you can still protect Kibana using an IP-based access policy and a proxy server.

Access Policy

The centralized logging solution features an access policy that restricts access to the Amazon ES domain to two roles: the solution’s master AWS Identity and Access Management (IAM) role for cross-account and cross-region indexing and the CognitoAuthorizedUser role for access to the Kibana dashboard. Any secondary accounts you specify in the Spoke Accounts parameter will assume the master role. To mitigate the risk of unauthorized access to the permissions granted by the solution’s master IAM role, AWS recommends that you deploy the solution in an isolated and tightly controlled management account, and limit access to that account.

Sample Logs Apache Server

Note that the sample logs Apache web server this solution deploys is publicly accessible on port 80. If you modify this sample logs web server for production use, we recommend that you use HTTPS by enabling Transport Layer Security (TLS) and add authentication.