CloudWatch Log Streams: A log stream is a sequence of log events that share the same source. Each separate source of logs into CloudWatch Logs makes up a separate log stream.
CloudWatch Log Groups: A log group is a group of log streams that share the same retention, monitoring, and access control settings. You can define log groups and specify which streams to put into each group. There is no limit on the number of log streams that can belong to one log group.
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.
This project is a Ansible Deployment contains scripts that are integrated with OS Hardening scripts. For creating any automation of Default Log Group and Log Streams:
- A common by-default log has been implemented in the code.
- Automation of the Log Stream has been implemented in the code.
Whenever, any OS EC2 Linux Distros is provisioned, the CW Log Group and Streams are created automatically removing the headache of creating any logStream or logGroup.
1. Python Script.
2. Ansible Module (defaults, files, handlers, mets, README.md, tasks, templates, tests, vars).
3. Defaults directory contains all the path of the scripts, where it should be placed and acts as a variable.
4. Files contains python scripts for creating CW Log Groups and Log Streams.
5. Tasks contains all the required code for pacing the files in the respective directory of Slaves EC2 machine and cron setup to execute the script at startup.
6. It will be executed in the "root"
1) Python-3+ should be installed
2) PIP should be installed (sudo easy_install pip)
3) Boto3 package should be installed (pip install boto3)
4) Requests package should be installed (pip install requests)
No Remote State Fetch is required as of now.
This platform requires Ansible. You will need to execute changes(if any) from Master VM. The access to it will be available to @Amey Erande[AMEY.ERANDE@t-systems.com] and other contact person.
ansible 2.4
After cloning
ansible-playbook <root yml file>.yml --ask-become-pass
Once you execute the script, you should be able to get the module copied to the slave instances at the specified directory. Also note that the script should get executed without any failures, which will specify that the Ansible script is executed successfully.
The S3 bucket should be created in advance. Your underlying IAM policy snhould allow TF to have RW access to the Bucket.
terraform {
required_version = "~> 0.12"
backend "s3" {
encrypt = true
}
}
bucket = "terraform-governance"
key = "terraform_aws_inspector/terraform_aws_inspector.tfstate"
encrypt = true
region = "eu-central-1"
- Environments - https://gitlab.dol.telekom.de/mcsmco/governance/terraform-aws-inspector/tree/master/environments
- File - https://gitlab.dol.telekom.de/mcsmco/governance/terraform-aws-inspector/tree/master/file
- File SNS - https://gitlab.dol.telekom.de/mcsmco/governance/terraform-aws-inspector/tree/master/file_sns
- Inspector - https://gitlab.dol.telekom.de/mcsmco/governance/terraform-aws-inspector/tree/master/inspector
- Lambda - https://gitlab.dol.telekom.de/mcsmco/governance/terraform-aws-inspector/tree/master/lambda
- Packages - https://gitlab.dol.telekom.de/mcsmco/governance/terraform-aws-inspector/tree/master/packages
- SNS - https://gitlab.dol.telekom.de/mcsmco/governance/terraform-aws-inspector/tree/master/sns
- SNS Lambda - https://gitlab.dol.telekom.de/mcsmco/governance/terraform-aws-inspector/tree/master/snslambda
- SNS Packages - https://gitlab.dol.telekom.de/mcsmco/governance/terraform-aws-inspector/tree/master/snspackages
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_cloudwatch_event_rule | AWS Lambda = AWS Lambda CW Eventrule | string | n/a | yes |
| aws_inspector_assessment_target_name | AWS Inspector - Assessment Target Name | string | n/a | yes |
| aws_inspector_assessment_template_name | AWS Inspector - Assessment Template Name | string | n/a | yes |
| aws_inspector_aws_cw_event_rule | AWS Inspector - Assessment IAM Event rule | string | n/a | yes |
| aws_inspector_aws_iam_event_policy | AWS Inspector - Assessment IAM Event policy | string | n/a | yes |
| aws_inspector_aws_iam_event_role | AWS Inspector - Assessment IAM Event Role | string | n/a | yes |
| aws_inspector_resource_group_security_tags | AWS Inspector - tags | string | n/a | yes |
| aws_inspector_resource_group_ssm_tags | AWS Inspector - tags | string | n/a | yes |
| aws_lambda_archive_file_type | AWS Lambda File- AWS Lambda Archive file type | string | n/a | yes |
| aws_lambda_filename | AWS Lambda File - AWS Lambda fileName | string | n/a | yes |
| aws_lambda_function_aws_iam_role | AWS Lambda - AWS Lambda Output path | string | n/a | yes |
| aws_lambda_function_handler_name | AWS Lambda - AWS Lambda function Handler name | string | n/a | yes |
| aws_lambda_function_name | AWS Lambda - AWS Lambda Function Name | string | n/a | yes |
| aws_lambda_function_run_time | AWS Lambda - AWS Lambda Runtime(Python, NodeJs, etc..) | string | n/a | yes |
| aws_lambda_output_path | AWS Lambda File - AWS Lambda Output path | string | n/a | yes |
| aws_lambda_source_directory | AWS Lambda File - AWS Lambda source directory | string | n/a | yes |
| aws_region | Specify your 'REGION' here | string | n/a | yes |
| aws_sns_lambda_archive_file_type | AWS SNS Lambda File- AWS Lambda Archive file type | string | n/a | yes |
| aws_sns_lambda_filename | AWS SNS Lambda File - AWS Lambda fileName | string | n/a | yes |
| aws_sns_lambda_function_aws_iam_role | AWS SNS Lambda File - AWS Lambda function name | string | n/a | yes |
| aws_sns_lambda_function_handler_name | AWS SNS Lambda File - AWS Lambda function name | string | n/a | yes |
| aws_sns_lambda_function_name | AWS SNS Lambda File - AWS Lambda function name | string | n/a | yes |
| aws_sns_lambda_function_run_time | AWS SNS Lambda File - AWS Lambda function name | string | n/a | yes |
| aws_sns_lambda_output_path | AWS SNS Lambda File - AWS Lambda Output path | string | n/a | yes |
| aws_sns_lambda_source_directory | AWS SNS Lambda File - AWS Lambda source directory | string | n/a | yes |
| aws_sns_topic_display_name | AWS SNS Topic - New SNS Topic display name | string | n/a | yes |
| aws_sns_topic_name | AWS SNS Topic - New SNS Topic Created | string | n/a | yes |
| sns_tag_description | AWS SNS Topic - AWS SNS Description Name | string | n/a | yes |
| sns_tag_email | AWS SNS Topic - AWS SNS Tag Email Name | string | n/a | yes |
| sns_tag_owner | AWS SNS Topic - AWS SNS Tag Owner Name | string | n/a | yes |
| tag_description | AWS Lambda - AWS Lambda Tag description | string | n/a | yes |
| tag_email | AWS Lambda - AWS Lambda Tag Owner email | string | n/a | yes |
| tag_owner | AWS Lambda - AWS Lambda Tag Owner name | string | n/a | yes |