AWS Open Source Blog

Introducing Assisted Log Enabler for AWS

Logging information is important for troubleshooting issues and analyzing performance, and when Amazon Web Services (AWS) customers do not have logging turned on, the ability to assist them becomes limited, to the point that performing analysis may be impossible. In some cases, customers may not have the technical expertise needed to set up logging properly for the various AWS services.

Assisted Log Enabler for AWS is an open source tool designed to ease the customer burden of learning how to turn on logs in the middle of a security incident. Assisted Log Enabler for AWS performs the work of creating an Amazon Simple Storage Service (Amazon S3) bucket, checking the services to see whether logging is turned on, and activating logging if it is turned off.

When this work is performed, customers can be assured that logging within their AWS environment is active to facilitate the investigation of future (and possibly ongoing) security incidents. In this article, we’ll explain how Assisted Log Enabler works and provide step-by-step instructions for setup and use.

The following diagram shows how Assisted Log Enabler works in a single account to turn on logging for customers.

Assisted Log Enabler Workflow

Workflow details

Here are the details of what happens within the Assisted Log Enabler workflow. An Amazon S3 bucket is first created within the customer’s account, and then a Lifecycle policy is created for the bucket, with the following parameters:

  • Converts files to Intelligent-Tiering storage after 90 days
  • Deletes files after 365 days

Next, Block Public Access is explicitly set to On for the S3 bucket created, and Amazon Virtual Private Clouds (Amazon VPCs) are checked to see whether the Amazon VPC Flow Logs feature is turned on or off. For Amazon VPCs that have no flow logs, flow logs are turned on and sent to the bucket created. (Amazon VPC Flow Logs version 2, 3, 4, and 5 fields are all enabled.)

The AWS CloudTrail service is then checked to see that at least one CloudTrail is configured. If no trail is configured, one is created and configured to log to the bucket created (single account only). Additionally, if Amazon Elastic Kubernetes Service (Amazon EKS) clusters exist, then audit and authenticator logs are turned on. Amazon EKS audit and authenticator logs are sent to CloudWatch Log Groups.

Finally, Amazon VPCs are checked to see whether Amazon Route 53 Resolver Query Logging is enabled. An Amazon Route 53 Resolver Query Logging Configuration is created, and any Amazon VPCs that are not configured for DNS query logging will be added to the created configuration.

Running Assisted Log Enabler

The code in its current form can be run inside the following:

Permissions

The following permissions are needed within AWS Identity and Access Management (IAM) in order for Assisted Log Enabler to run:

""ec2:DescribeVpcs",
"ec2:DescribeFlowLogs",
"ec2:CreateFlowLogs",
"logs:CreateLogDelivery",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:PutLifecycleConfiguration",
"s3:PutObject",
"s3:CreateBucket",
"cloudtrail:StartLogging",
"cloudtrail:CreateTrail",
"cloudtrail:DescribeTrails",
"eks:UpdateClusterConfig",
"eks:ListClusters",
"route53resolver:ListResolverQueryLogConfigAssociations",
"route53resolver:CreateResolverQueryLogConfig",
"route53resolver:AssociateResolverQueryLogConfig",
"iam:CreateServiceLinkRole" # This is used to create the AWSServiceRoleForRoute53 Resolver, which is used for creating the Amazon Route 53 Query Logging Configurations.

Additionally, when running Assisted Log Enabler from within an AWS Lambda function, the function will need the AWSLambdaBasicExecutionRole to run successfully. More details can be found in the AWS Lambda execution role documentation.

Step-by-step instructions

To run Assisted Log Enabler in AWS CloudShell (in single account mode):

  1. Log into the AWS Management Console of the account in which you want to run the Assisted Log Enabler and ensure that the principal being used to log into the console has the permissions stated above.
  2. Click on the icon for AWS CloudShell next to the search bar and ensure that you’re in a region where AWS CloudShell is currently available.
  3. Once the session begins, download Assisted Log Enabler within the AWS CloudShell session: 
    git clone https://github.com/awslabs/assisted-log-enabler-for-aws.git
  1. Unzip the file, and change the directory to the unzipped folder: 
    unzip assisted-log-enabler-for-aws-main.zip
cd assisted-log-enabler-for-aws-main
  1. Run the following command to run the Assisted Log Enabler in single account mode: 
    python3 assisted_log_enabler.py --single_account

A log file containing the detailed output of actions will be placed in the root directory of the Assisted Log Enabler tool.

Conclusion

In this article, we’ve shown how to use Assisted Log Enabler for AWS to ensure logging is turned on within an AWS environment. The project is licensed under the Apache-2.0 License, and you can find more information about its use as well as how to contribute on GitHub.

Joshua McKiddy

Joshua McKiddy

Joshua McKiddy is an AWS Security Consultant, specializing in Threat Detection & Incident Response. He helps customers who are working to improve their incident response mechanisms to handle threats to their AWS environments. In his spare time, he learns about and practices offensive security tactics, as well as going to Vegas Golden Knights hockey games. You can find Joshua on Twitter at @jdubm31