2

I am struggling with detecting activities performed outside of a given region in CloudWatch. For example, if an InternetGateway is created in the same region as the CloudWatch Event (let's say eu-central-1), it is detected by CloudWatch, however if it's somewhere else (let's say eu-west-1) it won't catch the event.

However, Cloudtrail does capture the event in the given region (it is activated across regions) as I can see it in the event history of this particular region. (let's say eu-west-1 again).

How can I get CloudWatch to act upon what is happening regardless of the region of creation?

  • Should I create the CloudWatch Event in each region, as well as the lambda function associated with the remediation?
  • Or is there a way to capture the logs of all regions and deal with them in a singular space?
Adrien Merlier
  • 301
  • 2
  • 5
  • 16
  • Seems like a bad idea to have a distributed deployment and then collate in one region for one function. Probably should proceed it per region in region. Unless you know what you're doing. – Kashyap Apr 25 '18 at 12:20

2 Answers2

1

You should be able to get cross-region cloudtrail logs into a single bucket:

Receiving CloudTrail Log Files from Multiple Regions You can configure CloudTrail to deliver log files from multiple regions to a single S3 bucket for a single account. For example, you have a trail in the US West (Oregon) Region that is configured to deliver log files to a S3 bucket, and a CloudWatch Logs log group. When you apply the trail to all regions, CloudTrail creates a new trail in all other regions. This trail has the original trail configuration. CloudTrail delivers log files to the same S3 bucket and CloudWatch Logs log group.

from: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html

E.J. Brennan
  • 45,870
  • 7
  • 88
  • 116
  • 1
    My Trail bucket indeed receives all logs in a singular space. However, the CloudWatch event is not triggered when something happened outside of its region. Should I create the same CloudWatch event across regions to cover my whole suscription? – Adrien Merlier Apr 19 '18 at 07:23
1

I have the a similar problem with CloudTrail going to CloudWatch Logs. I wanted to receive CloudTrail events for both eu-west-1 and global events for Route 53 (which seem to come from us-east-1) into a CloudWatch Logs stream so I could add some further monitoring and alerting of our AWS account.

The documentation for this at https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html is quite good and easy to follow, and even mentions:

Note

A trail that applies to all regions sends log files from all regions to the CloudWatch Logs log group that you specify.

However, I could not get this to work. I also tried making the log delivery IAM policy more permissive - the default policy includes the region name in the stream name and I thought this might change for logs from other regions - but this didn't help. Ultimately I could not get anything from outside eu-west-1 to be delivered to CloudWatch Logs, even though events were correctly appearing in the S3 bucket.

I ended up working around this by creating a second duplicate trail in us-east-1 and delivering logs for that region to Cloudwatch Logs also in that region.

Dave Long
  • 331
  • 1
  • 9