Ensure there is an AWS CloudWatch log group created for the web tier, available in your AWS account. A CloudWatch log group manages a collection of log streams that share the same retention, monitoring and access control settings. This conformity rule assumes that the AWS CloudWatch log group created for your web tier is using the following naming convention: <web_tier_log_group>. Prior to running this rule by the Cloud Conformity engine, the name of the web-tier log group must be defined in the rule settings, in your Cloud Conformity account. The retention settings for the web-tier log group can be also configured on the Cloud Conformity account dashboard.
Amazon CloudWatch Logs service can be used to monitor, store and access logging data from EC2 instances, CloudTrail trails, Route 53 hosted zones and other AWS sources. To publish the system and/or application logs to AWS CloudWatch, you must to create log groups. Separating the CloudWatch log group destinations on a per tier basis (web tier in this case) will allow unique settings to be applied on a per group basis for:
- Retention of logs;
- Access controls;
- Export or stream of data to other AWS services such as S3 or Lambda for analysis and/or processing.
Note 1: Make sure that you replace all <web_tier_log_group> placeholders found in the conformity rule content with the name of your own log group created for the web tier.
Note 2: You can use third-party log management tools such as Splunk, Loggly, AlertLogic Log Manager, etc, as long as the recommendation goal is achieved. In this case, the steps outlined in the Audit and Remediation sections must be modified for the log management tool used.
To determine if a web-tier CloudWatch log group exists in your AWS account, perform the following:
Remediation / Resolution
To create a web-tier CloudWatch log group in your AWS account, perform the following actions:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Web-Tier AWS CloudWatch Log Group
Risk level: Medium