How to implement centralized Logging for an AWS Organization Account

Question

I am working on a project to centralize our AWS Security Logs. The issue that we are running into is that we have just enabled organization level logging. Previously, our we our security terraform to each individual aws account. Now we are following this practice. The problem with this situation is that we have multiple accounts with multiple s3 buckets, multiple cloudwatch logs, multiple cloudwatch alerts. It would be easier to centralize all of these into one single "security"/"organization" account.

Does it make sense to create a single aws account just for logging? If so, would it make sense to create security groups (Security Admin) and security roles (ops-sec-role) . For example, we could add security users (sec-op-1) to the group so that they can assume role into the security account. Reason being is to follow the philosophy of separation of roles.

I am looking into potential solutions with CloudFormation, but it would be preferable to implement this with terraform.

Has this been done before?

Answer 1

Yes it absolutely makes sense to have a centralized logging account. If you are rolling this out across an organization I would recommend that this would actually be the perfect time to use CloudFormation Stack Sets.

1. Define a stack set in the main Organization account which will create your logging infra for each account and how it forwards to the central account (IAM Roles, Cloudtrail logs, bucket replication etc.)
2. Apply this stack set to your whole organization. This will automatically create a stack instance in each sub-account. Any new accounts added later will also have this stack automatically created.
3. Use Organization Service Control Policies to stop anyone from modifying the logging infra within the sub-accounts.

You could do the same kind of thing in Terraform but you will have to write your own automation to apply it to many accounts and also have to remember or automate running for new organization accounts. I usually prefer Terraform for IaC but this is one of the few cases where CloudFormation really shines. A hybrid approach could also work, using CloudFormation for the standard things like CloudTrail and IAM and custom Terraform for accounts with their own specific requirements.

You may also want to take a look at the AWS Control Tower service which can automate some of this for you along with applying some other security best practices.

Source: I am a certified AWS Solutions Architect Professional and DevOps Engineer Professional.

Answer 2

Did you people try Control Tower service of AWS? It created for you 1 audit and logging account under Security OU and also sets up SNS, lambda, config, s3 etc to achieve this logging aggregation and auditing. It also creates roles and gives u control to manage users from administrator account, also configures an Active Directory for managing users. Control Tower service is as per the best standards for managing multiple accounts within the organisation i.e. as per the well architected framework practices. It provides you a Sandbox OU wherein u can have your prod, dev accounts etc. It does centralised logging, auditing for u. But u have to pay for the services it spins up. If u write your own lambdas, config api's , sns etc to aggregate things, you can think of this service. You can also configure Guardrails like notify if someone deletes s3 bucket etc.. or preventive Guardrails like prevent anyone from deleting bucket from prod env.. So overall, eases our work a lot. You can manage all users from one admin account, plus many services like transit gateways, route 53 rules to be shared across the accounts

Else You can create a cloudformation stack as well and spin up as per your needs.