AWS Control Tower

  • Updated
Table of Contents:

This article covers how to login to AWS control tower actions with AWS CloudTrail and how to configure AWS Cloudtrail logs and write those logs to the AWS S3 bucket. 

Logging AWS Control Tower Actions with AWS CloudTrail

AWS Control Tower is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Control Tower. CloudTrail captures actions for AWS Control Tower as events. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for AWS Control Tower.

AWS Control Tower Information in CloudTrail

CloudTrail is enabled on your AWS account when you create the account. When supported event activity occurs in AWS Control Tower, that activity is recorded in a CloudTrail event along with other AWS service events in Event history. You can view, search, and download recent events in your AWS account.

For more information, see Viewing Events with CloudTrail Event History.

Recommended: If trail is not created then create a trail.

For an ongoing record of events in your AWS account, including events for AWS Control Tower, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions.

The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyse and act upon the event data collected in CloudTrail logs.

Store Objects with Amazon S3

When you set up your landing zone, an Amazon S3 bucket is created in your log archive account to store all logs across all accounts in your landing zone.

Setup Landing Zone

Start by clicking on “Set up Landing zone”.

Picture1.png

Review pricing and select Region

  1. Select Home region for your AWS Control Tower from the dropdown.
    Note: You cannot change your Home Region after setting your landing zone.

Picture2.png

2. Select Enabled for Region Deny setting.

Picture3.png

3. Additional AWS Regions for governance is Optional, you can select the Regions to govern in addition to the home Region. Typically, you’ll select Regions in which you plan to run workloads. You can add governance to regions after setup. Click Next to proceed.

Picture4.png

Configure organizational units (OUs)

  1. Change of OU name is optional in Foundational OU. “Security” is the default OU name in this example.

Picture5.png

2. Change of OU name is optional in Additional OU. “Sandbox” is the default OU name in this example. Click Next to proceed.

Picture6.png

Configure shared accounts

i. Creating new account

  1. In Log archive account section, select “Create new account”.
  2. Give an account email address which is not in use for an existing AWS account.
  3. In Log archive account, change of account name is optional.

Picture7.png

Audit account:

  1. In Audit account section, select “Create new account”.
  2. Give an account email address which is not in use for an existing AWS account.
  3. In Audit account, change of account name is optional. Click Next to proceed.

Picture8.png

ii. Using an existing account

Considerations:

  1. Check out Consideration for bringing existing security and logging accounts.
  2. AWS Control Tower will move the existing accounts to the OU that it creates as a part of the deployment.
  3. AWS Control Tower creates its own Config Aggregator in addition to any Config aggregator that you may have.
  4. If you have AWS Config deployed in any other accounts that you want to enroll with AWS Control Tower and you still want to continue the same AWS Config recorder and Delivery Channel with AWS Control Tower, then you must follow the steps here before deploying AWS Control Tower.

You must have the following prerequisites before proceeding:

  • Existing core or shared account(s) must already be part of your organization.
  • Delete the AWS Config recorder and AWS Config Delivery channel from the accounts that you want to use for this feature. This must be done for every region that you want to govern with AWS Control Tower.

Steps to use Deploy Control Tower with existing accounts:

  • In Log archive account select Use existing account.
  • Enter an existing 12-digit account id.

Picture9.png

  • In Audit account select Use existing account
  • Enter an existing 12-digit account id.

Picture10.png

  • Click Next.
  • Review the Service permissions, and when you’re ready, choose I understand the permissions AWS Control Tower will use to administer AWS resources and enforce rules on my behalf.
  • To finalize your selections and initialize launch, choose Set up landing zone.

Once AWS Control Tower is fully deployed, you’ll see that the accounts that you used in the steps above are now registered with AWS Control Tower, showing as Enrolled in the AWS Control Tower dashboard.

Picture11.png

Configure CloudTrail and encryption

  1. Select Enabled option in AWS CloudTrail Configuration section.

Picture12.png

2. In Log configuration for Amazon S2, provide the number of years for retention of logs in the S3 bucket.

    • Amazon S3 bucket retention for logging – 1 year (Default)
    • Amazon S3 bucket retention for access login – 10 years (Default)

Picture13.png

3. KMS Encryption is optional, however it is recommended to enable. To enable click on the Enable and customize encryption settings checkbox. You can choose an AWS key (if exists) or create a new KMS key and Click Next to proceed.

Picture14.png

Review and set up landing zone

You will be asked to review all the configuration. Once final review is completed click on Set up landing zone.

Picture15.pngPicture16.pngPicture17.pngPicture18.pngPicture19.png

Creating a trail

Configure AWS Cloudtrail (or other service)

Complete the following steps to configure AWS Cloudtrail logs and direct these logs to be written to the AWS S3 bucket created in the previous procedure:

  1. In the AWS console, search for Cloudtrail.
  2. Click Create trail.

Picture20.png

3. Provide a Trail name.

4. Select Create new S3 bucket. You may also choose to use an existing S3 bucket.

5. Provide a name for AWS KMS alias, or choose an existing AWS KMS Key.

Picture21.png

6. You can leave the other settings as default and click Next.

7. Choose Event type, add Data events as required, and click Next.

Picture22.png

8. Review the settings in Review and create and click Create trail.

9. In the AWS console, search for Amazon S3 Buckets.

Picture23.png

10. Click the newly created log bucket and select the folder AWSLogs. Then click Copy S3 URI and save it for use in the following steps.

Picture24.png

Configure AWS IAM User

In this step, we will configure an AWS IAM user which Chronicle will use to get log feeds from AWS.

  1. In the AWS console, search for IAM.

Picture25.png

2. Click Users, and then in the following screen, click Add Users.

Picture26.png

3. Provide a name for the user, e.g., chronicle-feed-user, Select AWS credential type as Access key - Programmatic access and click Next: Permissions.

Picture27.png

4. In the next step, select Attach existing policies directly and select AmazonS3ReadOnlyAccess or AmazonS3FullAccess, as required. AmazonS3FullAccess would be used if Chronicle should clear the S3 buckets after reading logs, to optimize AWS S3 storage costs.

Picture28.png

5. As a recommended alternative to the previous step, you can further restrict access to only the specified S3 bucket by creating a custom policy. Click Create policy and follow the AWS documentation to create a custom policy.

Picture29.png

6. Click Next:Tags.

7. Add any tags if required and click Next:Review.

8. Review the configuration and click Create user.

Picture30.png

9. Copy the Access key ID and Secret access key of the created user.
Note: Copied Access Key ID and Secret access key will be used to configure in Google Chronicle.

Picture31.png

Configure Feed in Chronicle to Ingest AWS Logs

  1. Go to Chronicle settings and click Feeds.
  2. Click Add New.
  3. Select Amazon S3 for Source Type.
  4. Select AWS Cloudtrail (or other AWS service) for Log Type.

MicrosoftTeams-image__2_.png

5. Click Next.

6. Select region and provide S3 URI of the Amazon S3 bucket you copied earlier. Further you could append the S3 URI with: {{datetime("yyyy/MM/dd")}}
As in the following example, so that Chronicle would scan logs each time only for a particular day:
s3://aws-cloudtrail-logs-XXX-1234567/AWSLogs/1234567890/CloudTrail/us-east-1/{{datetime("yyyy/MM/dd")}}/

7. Under URI IS A select Directories including subdirectories. Select an appropriate option under Source Deletion Option, this should match with the permissions of the IAM User account we created earlier.

8. Provide Access Key ID and Secret Access Key of the IAM User account we created earlier. 
Below are the steps which involves feed addition to chronicle instance by NetEnrich

  • S3 URI
  • ACCESS KEY ID
  • SECRET ACCESS KEY

MicrosoftTeams-image__3_.png

9. Click Next and Finish.

10. Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.

MicrosoftTeams-image.png

 

Related articles

Comments

0 comments

Please sign in to leave a comment.