Centralized Logging

AWS AWS

Overview

In this lab we will walk through how to deploy an Elasticsearch cluster and configure the search index through

We will be effectively deploying the landing zone v2 centralized logging solution manually using StackSets. The AWS Centralized Logging solution used in landing zone is effectively the same version available publicly here.

Prerequisites

  • This lab requires an account with Administrator privileges and Control Tower.
  • Download the landing zone centralized logging add-on
  • zip file located Centralize Logging Content

Steps

  1. Login using the SSO account-user created in lab00
  2. Download and unzip the files above

Create the CloudFormation StackSet for the primary stack

There are two methods to deploy the Centralize Logging.

  1. Via Stack Set pushing 1 account to another (Master Account to Audit Account)
  2. Via Stack 1 account (Audit account only)

Via Stack Set pushing 1 account to another (Master Account to Audit Account)

We are going to use the aws-landing-zone-centralized-logging-primary.template to deploy a single stack instance in the cross account audit account.

  1. Login to the master account
  2. Right Cick and Open the AWS CloudFormation Console in a new tab
  3. Verify your region
  4. Choose Create StackSet
  5. Choose Upload a template file
    • located aws-centralized-logging-solution/templates/core_accounts
  6. Select the aws-landing-zone-centralized-logging-primary.template
  7. Give the StackSet a good name, alias@AWSLZCLPrimary.
  8. Parameters:
  9. Use + addressing to enter your personal e-mail address, eg alias+ctclv2@amazon.com for both the Elasticsearch Domain Admin email address and the Cognito Admin email address.

    Name Value
    StackSet description default
    OrgID accountnum
    DemoVPC default
    ClusterSize small
    DemoSubnet default
    DomainAdminEmail ALIAS+ctlab24@amazon.com
    CognitoAdminEmail ALIAS+ctlab24@amazon.com
    DemoTemplate No
    DemoVPC default
    DOMAINNAME Initialscentralizedlogging
    --- ----
    IAM admin role ARN AWSControlTowerStackSetRole
    IAM execution AWSControlTowerExecution
    Account number cross account audit account
    Specify regions region with CT installed
    Deployment options 1 , 1
  10. Choose I acknowledge that AWS CloudFormation might create IAM resources with custom names. Choose I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND

  11. Click Next

  12. Select “Deploy stacks in accounts” and enter the account number for the cross account audit account (AWS Organizations console)
  13. Select the primary region where you have Control Tower deployed
  14. Click Next
  15. For IAM Admin Role ARN, select service-role AWSControlTowerStackSetRole from drop down and AWSControlTowerExecution for IAM Execution Role Name
  16. Click Next
  17. Acknowledge both IAM boxes
  18. Click Submit
  19. Wait for the stack instance to deploy. If you want to watch the progress, you can use SSO and use the administration console in the cross account audit account to watch the stack complete.
  20. Navigate to the cross account audit account CloudFormation console and copy all of the outputs to a temporay notebook
  21. Watch out the inbox of email address provided earlier for a temporary password and SNS Subscription Notification. We will use the password in next section and go ahead and subscribe for SNS notification.

Create the StackSet for the centralized logging spoke stacks

We are going to use the aws-landing-zone-centralized-logging-spoke.template to create the StackSet for deploying the spokes to the accounts in our organization.

Most customers should consider deploying the spoke stack in all of their accounts, since they are already keeping the logs from those accounts in the archive log bucket. However, for this lab, we are going to deploy to one account in the intrest of time.

  1. Login to the master account
  2. Right Cick and Open the AWS S3 Console in a new tab
  3. Verify your region
  4. Choose Create StackSet
  5. Choose Upload a template to Amazon S3
    • located /Users/kenwalsh/Downloads/aws-centralized-logging-solution/templates/aws_baseline
  6. Select the aws-landing-zone-centralized-logging-spoke.template
  7. Give the StackSet a good name, alias@AWSLZCLSpoke.
  8. Parameters:
  9. Use the outputs that you saved from the primary stack
    • Elasticsearch Endpoint
    • Master Account Role
    • Cluster Size
  10. Open a new console tab and get the name of the CloudWatch -- Logs – CloudWatchLogs LogGroup – most likely it will be aws-controltower/CloudTrailLogs.
  11. Change the parameter for CloudTrailCloudWatchLogsGroupName to the name you found above, e.g. aws-controltower/CloudTrailLogs
  12. Use the primary region you used for Control Tower for the CloudTrailRegion

    Name Value
    Elasticsearch Endpoint accountnum
    Master Account Role default
    Cluster Size small
    Sample Logs No
    VPC CIDR for Sample Sources default
    Subnet for Sample Web Server default
    CloudTrailCloudWatchLogsGroupName default
    CloudTrailRegion default
    IAM Admin Role ARN AWSControlTowerStackSetRole
    IAM Execution Role Name AWSControlTowerExecution
  13. Click Next

  14. Select the audit account
  15. Select the primary region you just entered as a parameter and click Add
  16. Click Next
  17. Acknowledge both IAM boxes
  18. Click Create
  19. Now wait until at least one of the stack instances is complete before moving to the next step

Login to the Kibana dashboard .

AWS

  1. Using the outputs we save from the primary stack the KibanaLoginURL
  2. You should have an e-mail in your inbox with the username and password alt text

You have completed the lab For more on how to use Kibana see Kibana How To

Cleanup the lab

  1. Login to the master account
  2. Right Cick and Open the AWS S3 Console in a new tab
  3. Delete the spoke stackset
  4. Delete the primary stackset