1. Accelerator Central Logging Implementation and File Structures(link)
The following diagram details the ASEA central logging implementation:
1.1. Accelerator Central Logging Buckets(link)
| Bucket Type | Bucket Name | Purpose |
|---|---|---|
| AES Encrypted Bucket | pbmmaccel-logarchive-phase0-aescacentral1-1py9vr4cdwuxu | ALB Logs - ALB's do not support logging to a KMS bucket |
| KMS Encrypted Bucket | pbmmaccel-logarchive-phase0-cacentral1-1tr23emhncdzo | All other AWS Accelerator initiated logs |
| AES or KMS Encrypted | aws-controltower-logs-123456789012-ca-central-1 | All Control Tower initiated logs |
| AES or KMS Encrypted | aws-controltower-s3-access-logs-123456789012-ca-central-1 | S3 Access logs for the Control Tower logs bucket |
1.1.1. Notes(link)
- Every customer has two Accelerator logging buckets
- Control Tower installations have an additional two Control Tower logging buckets
- Customers could use any account name for their central logging account
- Bucket name format is: {Accel-Prefix}-{Account-Name}-{Accel-Phase}-xxx{Region}-{Random}
- {Accel-Prefix} defaults to 'asea' (previously 'pbmmaccel' for Canada)
- {Accel-Phase} should always be 'phase0'
- {region} should always be 'cacentral1' for Canada
- {account} is likely to be 'log-archive'
- xxx is either "aes" or "" (nothing)
1.2. Accelerator Bucket Folders(link)
| Log Type | Folder Path | Example |
|---|---|---|
| ELB (in AES bucket) | {account#}/elb-{elbname}/AWSLogs/{account#}/* |
|
| VPC Flow Logs | {account#}/{vpc-name}/AWSLogs/{account#}/vpcflowlogs/{region}/{year}/{month}/{day}/* |
|
| Macie Reports | {account#}/macietestobject |
|
| Cost and Usage Reports | {account#}/cur/Cost-and-Usage-Report/* |
|
| Config History* | AWSLogs/{account#}/Config/{region}/{year}/{month}/{day}/ConfigHistory/* |
|
| Config Snapshot* | AWSLogs/{account#}/Config/{region}/{year}/{month}/{day}/ConfigSnapshot/* |
|
| GuardDuty | AWSLogs/{account#}/GuardDuty/{region}/{year}/{month}/{day}/* |
|
| CloudWatch Logs**** | CloudWatchLogs/{year}/{month}/{day}/{hour}/* |
|
| CloudTrail Digest*** | {org-id}/AWSLogs/{org-id}/{account#}/CloudTrail-Digest/{region}/{year}/{month}/{day}/* |
|
| CloudTrail Insights** | {org-id}/AWSLogs/{org-id}/{account#}/CloudTrail-Insights/{region}/{year}/{month}/{day}/* |
|
| CloudTrail*** | {org-id}/AWSLogs/{org-id}/{account#}/CloudTrail/{region}/{year}/{month}/{day}/* |
|
| CT S3 Access Logs | {no folders} |
|
| SSM Inventory | ssm-inventory/{ssm-inventory-type}/accountid={account#}/region={region}/resourcetype={rt}/* |
|
1.2.1. Notes(link)
* Located in Control Tower bucket when installed, Control Tower adds the {org-id} (i.e. o-h9ho05hcxl/) as the top level folder
** Only available in Accelerator Standalone deployments
*** CloudTrail control plane logs located in Control Tower bucket when installed, Control Tower drops the {org-id} (i.e. o-h9ho05hcxl/) from the middle of the folder path. This may change when Control Tower migrates to Organization Trails. CloudTrail data plane logs remain in the Accelerator bucket.
**** v1.5.1 introduces the capability to split CloudWatch log groups starting with specific prefixes out into customer named subfolders. The folder/file structure is otherwise identical. The v1.5.1 example config files separate out MAD, RQL, Security Hub, NFW, rsyslog, and SSM logs by default. Example: Security Hub logs will be in the following structure: CloudWatchLogs/security-hub/{year}/{month}/{day}/{hour}/
- Account number is sometimes duplicated in path because logs replicated from another account always need to start with the source account number
- Macie reports will only appear in the {account#} for the central security account, and only if a customer schedules PII discovery reports
- All CloudWatch Logs from all accounts are mixed in the same folder, the embedded log format contains the source account information as documented here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/ValidateLogEventFlow.html
- With the exception of CloudWatch Logs, all logs are in the original format provided by the log source/service.