Consume AWS Service Logs in the Logging Account
Stax provisions S3 buckets for storing AWS service logs as part of the Stax Assurance process. For each of these services a bucket is created in the logging account. Each S3 bucket has a corresponding SNS topic which allows for receiving notifications when files are created. Subscribe to SNS topics to integrate these logs with other systems.
Before You Begin
-
Time to complete: 5 minutes
-
Ensure you have access to log in to your organization's logging account with permissions to read content in S3 buckets
Locate the S3 Bucket and SNS Topic for a Service
Each S3 bucket and SNS topic resides in your logging account. If you cannot access the logging account, contact an administrator of your Stax tenancy.
Once logged into the logging account, you can proceed to locate the S3 bucket and/or SNS topic. These buckets and topics include, for uniqueness, the UUID (UUIDv4) which represents your organization identifier within Stax.
| AWS Service | S3 Bucket Name | SNS Topic |
|---|---|---|
| AWS Config | stax-config-<org-uuid> | stax-config-<org-uuid> |
| AWS Systems Manager Session Manager | stax-session-manager-<org-uuid> | stax-session-manager-<org-uuid> |
| AWS CloudTrail | stax-cloudtrail-<org-uuid> | cloudtrail-<org-uuid> |
| AWS Compute Optimizer | stax-compute-optimizer-<org-uuid> | stax-compute-optimizer-<org-uuid> |
| VPC Flow Logs* | stax-vpcflowlogs-<logging-account-aws-id>-<control-plane-region> | stax-vpc-flow-log-<org-uuid> |
* VPC Flow Logs are only configured by Stax when you have deployed a Networking Hub using Stax Networks
In each case above, the <org-uuid> placeholder is replaced by the UUID representing your Stax tenancy/AWS organization within Stax.
The SNS topics for each service are encrypted using a KMS key with the same alias as the topic name.
Stax also provisions buckets which store the S3 access logs for these service buckets. This can be used to meet audit requirements. These are as follows:
| AWS Service | S3 Bucket Name |
|---|---|
| AWS Config Service | stax-config-accesslog-<org-uuid> |
| AWS Systems Manager Session Manager | stax-session-manager-accesslog-<org-uuid> |
| AWS CloudTrail | stax-cloudtrail-accesslog-<org-uuid> |
Organization CloudTrail
For Stax-managed AWS organizations that were under management prior to the release of Organization CloudTrail support in Stax in early 2022, service logs prior to the change will appear in a different path in the S3 bucket.
With Organization CloudTrail enabled, logs will be located under the /<aws-org-id>/AWSLogs path in the S3 bucket (where <aws-org-id> is the organization's AWS organization ID beginning with o-).
For log entries recorded prior to Organization CloudTrail being enabled, logs will be located under the /AWSLogs path.
For simple parsing of CloudTrail logs when Organization CloudTrail is enabled, consider utilizing Cloudwatch Logs Insights in your organization's management account. It allows parsing of logs for all accounts in the organization at scale.