Configuring Auditor Access to View AWS Event Logs - Best Practices

How to Configure Access for an Auditor to View Event Logs from Multiple AWS Accounts

Question

An auditor needs access to logs that record all API events on AWS.

The auditor only needs read-only access to the log files and does not need access to each AWS account.

The company has multiple AWS accounts, and the auditor needs access to all the logs for all the accounts.

Which of the following options is the best way to configure access for the auditor to view event logs from all accounts?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: D.

Option A is incorrect since the auditor should only be granted access to one AWS account (Primary account) as a best practice.

Option B is incorrect since consolidated billing would not help aggregate and transfer logs from all the other accounts to the primary account.

Option C is incorrect since there is no such option to consolidate logging inside of CloudTrail.

Option D is CORRECT because we always assume the method of "least privilege" security design and only allow the auditor access to the minimum amount of AWS resources as possible.

We can configure CloudTrail from all the accounts to store the logs into one single S3 bucket under one AWS account (Primary account)

We can set up an IAM user for the auditor and provide an IAM policy to read-only contents from the above created S3 bucket.

For more information on CloudTrail, kindly refer to the following URL:

https://aws.amazon.com/cloudtrail/

Sure, I'd be happy to provide a detailed explanation for each answer option to help you understand the best way to configure access for the auditor to view event logs from all accounts.

Option A: Configure the CloudTrail service in each AWS account, and have the logs delivered to an AWS bucket on each account, while granting the auditor permissions to the bucket via roles in the secondary accounts and a single primary IAM account that can assume a read-only role in the secondary AWS accounts.

This option involves setting up CloudTrail in each AWS account and delivering the logs to an S3 bucket in each account. The auditor is then granted permissions to access the S3 bucket via roles in the secondary accounts and a single primary IAM account that can assume a read-only role in the secondary AWS accounts.

This option provides granular control over access to the log files for each AWS account. The auditor only has read-only access to the specific S3 bucket containing the logs and cannot access any other resources in the account. However, this approach can be complex to set up and manage, especially if there are many AWS accounts to configure.

Option B: Configure the CloudTrail service in the primary AWS account and configure consolidated billing for all the secondary accounts. Then grant the auditor access to the S3 bucket that receives the CloudTrail log files.

This option involves configuring CloudTrail in the primary AWS account and enabling consolidated billing for all the secondary accounts. The logs are delivered to an S3 bucket in the primary account. The auditor is then granted access to the S3 bucket containing the log files.

This option provides a centralized location for all the log files, making it easier to manage and access them. The auditor can access all the log files from a single location without having to navigate multiple AWS accounts. However, this approach provides access to all the resources in the primary AWS account, which may not be necessary or desirable.

Option C: Configure the CloudTrail service in each AWS account and enable consolidated logging inside of CloudTrail.

This option involves setting up CloudTrail in each AWS account and enabling consolidated logging inside of CloudTrail. The logs are then delivered to a single S3 bucket. The auditor is then granted access to the S3 bucket containing the log files.

This option provides a centralized location for all the log files, making it easier to manage and access them. The auditor can access all the log files from a single location without having to navigate multiple AWS accounts. However, this approach provides access to all the resources in the S3 bucket, which may not be necessary or desirable.

Option D: Configure the CloudTrail service in each AWS account and have the logs delivered to a single AWS S3 bucket in the primary account. Create an IAM user for the auditor with an IAM policy to S3 read-only access for only the bucket which stores the CloudTrail logs in the primary account.

This option involves setting up CloudTrail in each AWS account and delivering the logs to a single S3 bucket in the primary account. An IAM user is created for the auditor with a policy granting read-only access to the S3 bucket containing the log files.

This option provides a centralized location for all the log files, making it easier to manage and access them. The auditor can access all the log files from a single location without having to navigate multiple AWS accounts. Additionally, the policy limits access to only the specific S3 bucket containing the log files, providing granular control over access to the log files.

Based on the above explanations, option D appears to be the best way to configure access for the auditor to view event logs from all accounts. It provides a centralized location for all the log files and granular control over access to the specific S3 bucket containing the log files.