Centralized Logging on AWS
Centralized Logging on AWS


When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. For more information about security on AWS, visit the AWS Security Center.

Security Groups and Access Policy

The security groups and access policy created in this solution are designed to control and isolate network traffic between the Amazon EC2 instances and your Amazon ES domain. Proxy server traffic to port 22 is restricted to the range specified in the SSH Access CIDR parameter. The access policy for the Amazon ES domain is restricted to allow traffic from only the solution’s instances (with the Nginx proxy). The access policy also gives permissions to the solution’s master AWS Identity and Access Management (IAM) role for cross-account and cross-region log management. Any secondary accounts you specify in the Spoke Accounts parameter will assume the master role. To mitigate the risk of unauthorized access to the permissions granted by the solution’s master IAM role, AWS recommends that you deploy the solution in an isolated and tightly controlled management account, and limit access to that account.

Sample Logs Apache Server

Note that the sample logs Apache web server this solution deploys is publicly accessible on port 80. If you modify this sample logs web server for production use, we recommend that you use HTTPS by enabling Transport Layer Security (TLS) and add authentication.

Additional Security Settings

An Nginx proxy is added to the architecture to enable strict security controls and limit the exposure of data stored in Amazon ES. Each proxy server acts as an intermediary between the Kibana client web browser and the Amazon ES domain endpoint, filtering requests and then forwarding them to Amazon ES from a single, authenticated IP address.

The proxy servers use two security mechanisms to handle inbound requests from Kibana: authentication (user name and password) and IP restriction (security group). When an end user attempts to access the domain dashboard, a login prompt appears. The Kibana client forwards the user name and password along with the requester’s source IP address to the proxy server for evaluation. If the credentials match and the source IP address is within the approved range, the proxy server then passes the request to the Amazon ES endpoint. When the Amazon ES endpoint has responded, the proxy server returns that information to the client's web browser.

Note that Kibana is JavaScript based and, therefore, all requests that it forwards originate from unauthenticated end-user IP addresses. Customers can configure IP-based access policies from Amazon ES domain endpoints, however these endpoints require Signature Version 4 signing to grant access to the service. This makes it burdensome to manage requests from Kibana directly in Amazon ES, as customers would need manage a whitelist of individual IP addresses. The Nginx proxy server simplifies the management of inbound traffic while providing an authenticated, single origin for all requests to Amazon ES. For more information, see How to Control Access to Your Amazon Elasticsearch Service Domain in the AWS Security Blog.