0

I got 4 aws accounts, and i want to centralise all my logs into a single accounts for security purposes.

Meaning collect cloudwatch logs from account prod, dev and perf into an account called logs. Ideally they would end up in cloudwatch in the accounts logs, so i can process them easily with ELK.

I read about it here:

http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions.html

But i can't find a tutorial on how to set up simply the whole stack.

Any suggestions would be appreciated.

jthemovie
  • 153
  • 2
  • 13

1 Answers1

1

The only thing different about using CloudWatch Logs in another account is the credentials you'll need to use.

I would do it like this; in your logs account, create 3 IAM users:

  • prod
  • dev
  • perf

Give each of the users the necessary IAM permissions to write logs to CloudWatch logs. Also, create a set of AWS credentials for the 3 users which you will use to authenticate with.

Then in your application, depending on what stack your in, configure your code to use the relevant credentials (i.e. Dev, Prod) to write to CloudWatch logs. The only difference should be wherever in your code you create the CloudWatch logs client. You should pass the client the credentials for the relevant IAM user from your "Logs" account.

EDIT:

If you're using the CloudWatch Logs client, the idea is the same. You create the users and instead just give the client the relevant AWS credentials. You specify the creds for the user from your logs account in the /etc/awslogs/awslogs.conf. The credentials you use is what will send your logs to CloudWatch in the other account. The process you need to follow is basically documented in the AWS docs

mickzer
  • 5,958
  • 5
  • 34
  • 57
  • thanks for your suggestion mickzer, but i dont have any specific application, just awslogs agent installed on ec2 and grabbing syslog, auditd logs etc.., didn't see in /etc/awslogs/awslog.conf a way to to specify which cloudwatch i could target – jthemovie Apr 12 '17 at 10:52
  • Thanks for your edit, give me today to make this thing in practise and i come back to you ;) – jthemovie Apr 13 '17 at 08:46
  • It works!!! that's pretty awesome, but it means that every instances need the credentials hardcoded, is there any way we could directly do it by assume role, meaning specifying in awscli.conf the arn of role to assume ? I noticed that if i put the variable role_arn in awscli.conf, he doesn't rejected it, but i dont receive my logs in this log account (Partial credentials found in assume-role, missing: 'source_profile') – jthemovie Apr 13 '17 at 12:19
  • Adding that the role i created in logs account look like this http://imgur.com/a/QxfmY – jthemovie Apr 13 '17 at 13:26
  • Yes it's possible to use Cross Account Roles to avoid needing credentials. – mickzer Apr 15 '17 at 22:04
  • I tried, but as you can see, it doesn't work http://stackoverflow.com/questions/43424614/cloudwatch-logs-agent-cant-assume-role-to-send-logs-to-different-account :/ – jthemovie Apr 16 '17 at 23:52
  • An misconfiguration with Cross Account Roles is not in the scope of this post. Please mark the answer as correct if you are satisfied it is the correct – mickzer Apr 18 '17 at 12:24