Log Streaming Integration

This step is optional and recommended for big environments with a high volume of logs.

This step should be performed only on the logs-archive account.

To facilitate log streaming, complete the following steps:

  1. Deploy the rezon-cloudtrail.yaml CloudFormation stack template to the account that owns the s3 CloudTrail bucket.

Step 1: Deploy rezon-cloudtrail.yaml CloudFormation Stack Template

  1. Login to the AWS Console for the account that owns the s3 CloudTrail bucket, and navigate to CloudFormation > Stacks.

  2. Select Create stack, and then With new resources (standard).

  3. In the Create stack screen, upload the Rezonate log streaming template (rezon-cloudtrail.yaml), and then click Next.

  4. In the Specify stack details screen, enter Rezonate for the stack name, and then click Next.

  5. Scroll down and click next without changing any settings.

  6. Check the acknowledgment box, and then click Create Stack.

The rezon-cloudtrail.yaml stack template provisions the following resources:

    • An SQS Queue and Event bridge rule that adds notifications for every new log file created in the CloudTrail bucket.

    • A role that allows Rezonate to read CloudTrail logs from the bucket.

    • Make note of the SQS queue and the Arn value for the CloudTrail bucket, which you can find in the output tab of the stack execution screen. You will need to provide these values to your Rezonate representative to complete the onboarding process.

Step 2: Enable Event-Bridge Notification Support

After deploying the rezon-cloudtrail.yaml stack template, enable event-bridge notification support for the CloudTrail bucket, as explained in the following steps.

  1. From the AWS Console for the account that owns the s3 CloudTrail bucket, select the bucket, and then the Properties tab. This can be done through the console by surfing to S3, clicking the trail bucket, and then Properties.

  2. Scroll to the Amazon EventBridge panel and click Edit.

  3. Select the On radio button, and then click Save Changes.

Step 3: (Optional) Modify Key Policy

In some deployments, the log bucket may be encrypted with a key that is stored in another account (such as the organization master). If this is the case, you must make a small modification to the key policy to allow Rezonate to use it to decrypt the log files, as explained in the following steps.

  1. Log in to the account that holds the key, and navigate to the key management service.

  2. Select the key, and then the Key Policy tab.

  3. Add the following policy to the text field.

KMS Resource Policyย 

โ€ฆย 

{ย 

"Sid": "Enable Log Archive to Decrypt using master keys",ย 

"Effect": "Allow",ย 

"Principal": {ย 

"AWS": "arn:aws:iam::986349361966:root"ย 

},ย 

"Action": "kms:Decrypt",ย 

"Resource": "*"ย 

}

Last updated