Ensure that the EC2 instances launched within your app-tier Auto Scaling Group (ASG) are using CloudWatch log agents to monitor, store and access log files (application or system data logs) from these instances. A CloudWatch Logs agent needs to be installed on the guest Operating System of the app-tier EC2 instance that you want to get logs from. This conformity rule assumes that all AWS resources provisioned for your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
excellence
An Amazon CloudWatch Logs agent helps providing centralized logging, monitoring and incident reporting of both system-level and application-level events available on the EC2 instances provisioned within the app-tier Auto Scaling Group.
Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.
Audit
To determine if each app-tier ASG instance is being launched with an AWS CloudWatch Logs agent, perform the following:
Remediation / Resolution
- To install the Amazon Cloudwatch Logs agent on the EC2 instances within your app-tier ASG, you must re-create the ASG launch configuration and set it up with the necessary user data (i.e. agent installation script). To create a new launch configuration and replace the existing one, perform the following actions:
Note: The guest OS used in this remediation/resolution section is Amazon Linux.References
- AWS Documentation
- Auto Scaling Groups
- Launch Configurations
- Creating a Launch Configuration
- Running Commands on Your Linux Instance at Launch
- Quick Start: Install and Configure the CloudWatch Logs Agent on an EC2 Linux Instance at Launch
- Amazon Linux AMI
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- autoscaling
- describe-auto-scaling-groups
- describe-tags
- describe-launch-configurations
- create-launch-configuration
- update-auto-scaling-group
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
CloudWatch Logs Agent for App-Tier Auto Scaling Group In Use
Risk Level: Medium