Ensure that each EC2 instance available within your web-tier Auto Scaling Group (ASG) is using an AWS CloudWatch Logs agent to monitor, store and access log files from each instance. A CloudWatch Logs agent needs to be installed on the guest Operating System (OS) of each web-tier EC2 instance that you want to ship logs from. This conformity rule assumes that all AWS resources provisioned for your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
excellence
An AWS CloudWatch Logs agent helps providing centralized logging, monitoring and incident reporting of both system-level and application-level events generated for the EC2 instances provisioned in the web-tier Auto Scaling Group.
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
Audit
To determine if the EC2 instances within your web-tier ASG are being launched with AWS CloudWatch Logs agents, perform the following actions:
Remediation / Resolution
To automatically install the AWS Cloudwatch Logs agent on the EC2 instances within your web-tier ASG, you must re-create the ASG launch configuration and configure it with the necessary user data (agent installation script). To set up a new launch configuration and replace the existing one, perform the following actions:
Note: The guest OS utilized in this remediation/resolution section is Amazon Linux.References
- AWS Documentation
- Auto Scaling Groups
- Launch Configurations
- Creating a Launch Configuration
- Running Commands on Your Linux Instance at Launch
- Amazon Linux AMI
- Quick Start: Install and Configure the CloudWatch Logs Agent on an EC2 Linux Instance at Launch
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- autoscaling
- describe-auto-scaling-groups
- describe-tags
- describe-launch-configurations
- create-launch-configuration
- update-auto-scaling-group
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
CloudWatch Logs Agent for Web-Tier Auto Scaling Group In Use
Risk Level: Medium