Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Web-Tier AWS CloudWatch Log Group

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure there is an AWS CloudWatch log group created for the web tier, available in your AWS account. A CloudWatch log group manages a collection of log streams that share the same retention, monitoring and access control settings. This conformity rule assumes that the AWS CloudWatch log group created for your web tier is using the following naming convention: <web_tier_log_group>. Prior to running this rule by the Cloud Conformity engine, the name of the web-tier log group must be defined in the rule settings, in your Cloud Conformity account. The retention settings for the web-tier log group can be also configured on the Cloud Conformity account dashboard.

Security
Operational
excellence

Amazon CloudWatch Logs service can be used to monitor, store and access logging data from EC2 instances, CloudTrail trails, Route 53 hosted zones and other AWS sources. To publish the system and/or application logs to AWS CloudWatch, you must to create log groups. Separating the CloudWatch log group destinations on a per tier basis (web tier in this case) will allow unique settings to be applied on a per group basis for:

Note 1: Make sure that you replace all <web_tier_log_group> placeholders found in the conformity rule content with the name of your own log group created for the web tier.

Note 2: You can use third-party log management tools such as Splunk, Loggly, AlertLogic Log Manager, etc, as long as the recommendation goal is achieved. In this case, the steps outlined in the Audit and Remediation sections must be modified for the log management tool used.


Audit

To determine if a web-tier CloudWatch log group exists in your AWS account, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Web-Tier Cloudwatch Log Group In Use conformity rule settings and copy the name configured for your web-tier CloudWatch log group (e.g. <web_tier_log_group>).

02 Sign in to the AWS Management Console.

03 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, click Logs to access the log groups available in the current AWS region.

05 Paste the name of your web-tier CloudWatch log group, copied at step no. 1 (e.g. <web_tier_log_group>), into the Log Group Name Prefix search box and press Enter. If the search process returns no results, there is no Amazon CloudWatch log group created for the web tier within the selected AWS region.

06 Change the AWS region from the navigation bar and repeat step no. 5 to check for web-tier CloudWatch log groups within other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Web-Tier Cloudwatch Log Group In Use conformity rule settings and copy the name configured for your web-tier CloudWatch log group (e.g. <web_tier_log_group>).

02 Run describe-log-groups command (OSX/Linux/UNIX) using custom query filters to list the metadata for the specified web-tier CloudWatch log group. Replace <web_tier_log_group> with the name of your own web-tier log group copied at the previous step, then send the describe-log-groups command request:

aws logs describe-log-groups
	--region us-east-1
	--query "logGroups[?logGroupName == '<web_tier_log_group>']"

03 The command output should return the metadata for the specified web-tier CloudWatch log group (if there is one available):

[]

If the describe-log-groups command output returns an empty array (i.e. []), as shown in the example above, there is no AWS CloudWatch log group provisioned for the web tier within the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 to check for web-tier CloudWatch log groups in other regions.

Remediation / Resolution

To create a web-tier CloudWatch log group in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Web-Tier Cloudwatch Log Group In Use conformity rule settings and copy the name configured for your web-tier CloudWatch log group.

02 Sign in to the AWS Management Console.

03 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, click Logs.

05 Click the Actions dropdown menu from the CloudWatch dashboard top menu and select Create log group option.

06 Within Create log group dialog box, paste the name of your web-tier CloudWatch log group copied at step no. 1 inside the Log Group Name box.

07 Click Create log group to create your new web-tier CloudWatch log group.

08 (Optional) If you have configured a retention period for your web-tier log group in the conformity rule settings, you can configure this feature as well for the new CloudWatch log group, by implementing the following actions:

  1. Choose the newly created AWS CloudWatch log group and within Expire Events After column click Never Expire link.
  2. Inside Edit Retention dialog box, select the necessary log retention period (the value must match the retention period defined in the rule settings) from the Retention dropdown list, then click Ok to apply the configuration changes.

09 If required, change the AWS region from the navigation bar and repeat steps no. 5 – 8 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Web-Tier Cloudwatch Log Group In Use conformity rule settings and copy the name configured for your web-tier CloudWatch log group.

02 Run create-log-group command (OSX/Linux/UNIX) to create your own web-tier CloudWatch log group. The following command example creates an AWS CloudWatch log group named "<web_tier_log_group>" within the US East (N. Virginia) region. Replace <web_tier_log_group> with the name of your own web-tier log group copied at the previous step (the command does not produce an output):

aws logs create-log-group
	--region us-east-1
	--log-group-name <web_tier_log_group>

03 (Optional) If you have already configured a retention period for your web-tier log group in the conformity rule settings, run put-retention-policy command (OSX/Linux/UNIX) to set up the necessary log retention period for the web-tier CloudWatch log group, created at the previous step. Replace the --log-group-name and --retention-in-day parameters values with your own values (the command does not return an output):

aws logs put-retention-policy
	--log-group-name <web_tier_log_group>
	--retention-in-days 7

04 If required, change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 for other regions.

References

Publication date Mar 28, 2018

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Web-Tier AWS CloudWatch Log Group

Risk Level: Medium