Detections
Analytics

5.8 Ensure an agent for AWS Cloudwatch Logs is installed within Auto-Scaling Group for Web-Tier

Information

You can use CloudWatch Logs to monitor, store and access log files from an Amazon EC2 instance (application or system data).

 With CloudWatch Logs, you can monitor your logs, in near real-time, for specific phrases, values or patterns (metrics). For example, you could set an alarm on the number of errors that occur in your system logs or view graphs of web request latency from your application logs. Log data can be stored and accessed for as long as you need using highly durable, low-cost storage so you don't have to worry about filling up hard drives.

 A Cloudwatch agent needs to run within the Guest Operating System of each EC2 instance you wish to ship logs from.

 Note:

* You can also use any third party log management tools (like Splunk, Loggly, AlertLogic Log Manager, etc.) as long as the recommendation goal is achieved.
* The below Audit and Remediation steps need to be modified for your specific log management tool, as they are provided in the benchmark only for Amazon Cloudwatch
Allows for centralized logging, monitoring and incident reporting of both System level events and Application level events within EC2 instances.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Using the Amazon unified command line interface:

* Create a sample agent configuration file for Amazon Linux and save it as a text file (for example, awslogs.cfg) either on the AMI's filesystem, in a publicly accessible http/https location, or an Amazon S3 location (for example, s3://<s3_bucket_name>/_<cloudwatch_agent_config_file>_):

 [general]
state_file = /var/awslogs/state/agent-state

[/var/log/messages]
file = /var/log/messages
log_group_name = /var/log/messages
log_stream_name = {instance_id}
datetime_format = %b %d %H:%M:%S

* Create a new Web tier Autoscaling Launch Configuration with UserData populated for installing Cloudwatch Logs agent:

* Create and save locally a file containing the UserData, for example /tmp/UserData.txt:

 #!/bin/bashcurl https://s3.amazonaws.com/aws-cloudwatch/downloads/latest/awslogs-agent-setup.py -Ochmod +x ./awslogs-agent-setup.py./awslogs-agent-setup.py -n -r us-east-1 -c s3://<s3_bucket_name>/_<cloudwatch_agent_config_file>_

* <div class="aws-note">

 NOTE:

 You can install the CloudWatch Logs agent by specifying the us-east-1, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-southeast-1, ap-southeast-2, ap-northeast-1, or sa-east-1 regions.</div>

 aws autoscaling create-launch-configuration --launch-configuration-name <_web_tier_launch_config>_ --image-id <_web_tier_ami>_ --key-name <_your_key_pair>_ --security-groups <web_tier_security_group> --instance-type <_desired_instance_type>_ --iam-instance-profile <_web_tier_instance_profile>_ --user-data file:///tmp/UserData.txt

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2d.

Plugin: amazon_aws

Control ID: 2edd4255e3a7cedeca1dd5b87d9b8ea814dd20111d83d02ca5ffd7bbba16041a