App-Tier AWS CloudWatch Log Group

Risk Level: Medium (should be achieved)

Ensure there is an Amazon CloudWatch log group created for the app tier, available in your AWS account. A CloudWatch log group defines a collection of log streams that share the same retention, monitoring, and access control settings. This conformity rule assumes that the AWS CloudWatch log group created for your app tier is using the following naming convention: <app_tier_log_group>. Prior to running this rule by the Cloud Conformity engine, the name of the app-tier log group must be defined in the rule settings, on your Cloud Conformity account dashboard. The retention settings for the app-tier log group can be also configured within the conformity rule settings.

Security

Operational
excellence

Amazon CloudWatch Logs helps you to aggregate, monitor, and store logs. To send your system and/or application logs to AWS CloudWatch, log groups must be created. Separating the CloudWatch log group destinations on a per tier basis will allow unique settings to be applied on a per group basis for:

Retention of logs;
Access controls;
Export or stream of data to other AWS services such as S3 or Lambda for analysis and/or processing.

Note 1: Make sure that you replace all <app_tier_log_group> placeholders found in the conformity rule content with the name of your own log group created for the app tier.

Note 2: You can use third-party log management tools such as Splunk, Loggly, AlertLogic Log Manager and so on, as long as the recommendation goal is achieved. In this case, the steps outlined in the Audit and Remediation sections must be modified for the chosen log management tool.

Audit

To determine if an app-tier CloudWatch log group exists in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access App-Tier Cloudwatch Log Group In Use conformity rule settings and copy the name defined for your app-tier CloudWatch log group (e.g. <app_tier_log_group>).

02 Sign in to the AWS Management Console.

03 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, click Logs to access the log groups available in the current AWS region.

05 Paste the name of your app-tier CloudWatch log group, copied at step no. 1 (e.g. <app_tier_log_group>), into the Log Group Name Prefix search box and press Enter. If no results are found, there is no Amazon CloudWatch log group created for the app tier within the selected AWS region.

06 Change the AWS region from the navigation bar and repeat step no. 5 to check for app-tier CloudWatch log groups within other regions.

Using AWS CLI

02 Run describe-log-groups command (OSX/Linux/UNIX) using custom query filters to describe the metadata for the specified app-tier CloudWatch log group. Replace <app_tier_log_group> with the name of your own app-tier log group copied at the previous step:

aws logs describe-log-groups
	--region us-east-1
	--query "logGroups[?logGroupName == '<app_tier_log_group>']"

03 The command output should return the metadata for the specified app-tier CloudWatch log group (if applicable):

[]

If the describe-log-groups command output returns an empty array (i.e. []), as shown in the example above, there is no AWS CloudWatch log group provisioned for the app tier in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 to check for app-tier CloudWatch log groups in other regions.

Remediation / Resolution

To create an app-tier CloudWatch log group in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access App-Tier Cloudwatch Log Group In Use rule settings and copy the name specified for your app-tier CloudWatch log group.

02 Sign in to the AWS Management Console.

03 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

04 In the left navigation panel, click Logs.

05 Click the Actions dropdown menu from the CloudWatch dashboard top menu and select Create log group option.

06 Within Create log group dialog box, paste the name of your app-tier CloudWatch log group copied at step no. 1 inside the Log Group Name box.

07 Click Create log group to create your new app-tier CloudWatch log group.

08 (Optional) If you have configured a retention period for your app-tier log group in the conformity rule settings, you can configure this feature as well for the new CloudWatch log group, by performing the following actions:

Choose the newly created AWS CloudWatch log group and within Expire Events After column click Never Expire link.
Inside Edit Retention dialog box, select the necessary log retention period (the value must match the retention period defined in the rule settings) from the Retention dropdown list, then click Ok to apply the configuration changes.

09 If required, change the AWS region from the navigation bar and repeat steps no. 5 – 8 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access App-Tier Cloudwatch Log Group In Use rule settings and copy the name specified for your app-tier CloudWatch log group.

02 Run create-log-group command (OSX/Linux/UNIX) to create your own app-tier CloudWatch log group. The following command example creates an AWS CloudWatch log group named "<app_tier_log_group>" within the US East (N. Virginia) region. Replace <app_tier_log_group> with the name of your own app-tier log group copied at the previous step (the command does not produce an output):

aws logs create-log-group
	--region us-east-1
	--log-group-name <app_tier_log_group>

03 (Optional) If you have already configured a retention period for your app-tier log group in the conformity rule settings, execute put-retention-policy command (OSX/Linux/UNIX) to set up the necessary log retention period for the app-tier CloudWatch log group, created at the previous step. Replace the --log-group-name and --retention-in-day parameters values with your own values (the command does not return an output):

aws logs put-retention-policy
	--log-group-name <app_tier_log_group>
	--retention-in-days 5

04 If required, change the AWS region by updating the --region command parameter value and repeat step no. 2 and 3 for other regions.

References

AWS Command Line Interface (CLI) Documentation
logs
describe-log-groups
create-log-group
put-retention-policy

Publication date Mar 28, 2018

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudWatchLogs rules