Logging

Ensure CloudTrail is enabled in all regions

  1. Navigate to CloudTrail console
  2. Click on Create Trail
  3. Enter a Trail name and choose Yes for Apply trail to all regions
  4. Under Storage location, choose Yes to Create a new S3 bucket and give a unique name for S3 bucket
  5. Click on Advanced and choose Yes to Encrypt log files with KMS and Create a new KMS key. Give a KMS key name
  6. Choose Yes for Enable log file validation

Ensure CloudTrail trails are integrated with CloudWatch Logs

  1. In the CloudTrail console, click on Trails on the left panel
  2. Click on the Trail created in previous step
  3. Scroll down to find CloudWatch Logs and click on Configure
  4. Leave the default CloudTrail log group name and click on Continue
  5. You will be prompted to create a Role with which CloudTrail with put logs to CloudWatch. Click on Allow at the bottom,

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

  1. Navigate to S3 console
  2. Click on the CloudTrail bucket created previously
  3. Click on Properties tab
  4. Click on Server Access Logging
  5. Select Enabled
  6. Choose the bucket created during CloudTrail creation part as Target and enter a Target Prefix

Ensure VPC flow logging is enabled in all VPCs

Get VPC ID

Note down the VpcId

aws ec2 describe-vpcs

Create Log Group

aws logs create-log-group \
--log-group-name vpc-flow-logs

Create IAM Role

Policy to write to CloudWatch

Save to a file /tmp/vpc_cloudwatch_role.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "vpc-flow-logs.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Create role with Trust Policy document

aws iam create-role \
--role-name flowLogsRole \
--assume-role-policy-document file:///tmp/vpc_cloudwatch_role.json

Attach Role policy to role created

aws iam attach-role-policy \
--policy-arn 'arn:aws:iam::aws:policy/CloudWatchLogsFullAccess' \
--role-name flowLogsRole

Enable Flow logs

aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids <VPC_ID> \
--traffic-type REJECT \
--log-group-name vpc-flow-logs \
--deliver-logs-permission-arn <IAM_ROLE_ARN>

<VPC_ID> and <IAM_ROLE_ARN> should be substituted before running the previous command. The create command should be repeated for all VPCs