AWS Control Tower¶
About¶
AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. It creates your landing zone using AWS Organizations, bringing ongoing account management and governance as well as implementation best practices based on AWS’s experience working with thousands of customers as they move to the cloud. Builders can provision new AWS accounts in a few clicks, while you have peace of mind knowing that your accounts conform to company policies. Extend governance into new or existing accounts, and gain visibility into their compliance status quickly.
If you are building a new AWS environment, starting out on your journey to AWS, or starting a new cloud initiative, AWS Control Tower will help you get started quickly with built-in governance and best practices.
Product Details¶
Vendor URL: AWS Control Tower - govern a new secure, multi-account environment
Product Type: Identity and Access Management
Product Tier: Tier III
Integration Method: Custom
Integration URL: Logging and monitoring in AWS Control Tower
Log Guide: Logging and monitoring in AWS Control Tower
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90%
Data Label: AWS_CONTROL_TOWER
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| awsRegion | principal.location.name |
| eventID | metadata.product_log_id |
| eventName | metadata.product_event_type |
| eventName | security_result.summary |
| eventSource | observer.hostname |
| eventType | principal.application |
| eventVersion | metadata.product_version |
| recipientAccountId | target.user.userid |
| sourceIPAddress | principal.ip |
| userAgent | network.http.user_agent |
| userIdentity.accessKeyId | principal.user.attribute.labels |
| userIdentity.accountId | principal.user.attribute.labels |
| userIdentity.arn | principal.user.attribute.labels |
| userIdentity.principalId | principal.user.attribute.labels |
| userIdentity.sessionContext.sessionIssuer.userName | principal.user.userid |
| userIdentity.type | principal.user.attribute.labels |
| userIdentity.userName | principal.user.userid |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | GENERIC_EVENT | ||
| Describe,List,Get | RESOURCE_READ |
Log Sample¶
{ "Records": [ { "awsRegion": "eu-west-1", "eventCategory": "Management", "eventID": "asd63f5f4es06g540-a56dsg04-a5d6f04", "eventName": "GetManagedPrefixListEntries", "eventSource": "ec2.amazonaws.com", "eventTime": "2022-06-24T19:21:16Z", "eventType": "AwsApiCall", "eventVersion": "1.08", "managementEvent": true, "readOnly": true, "recipientAccountId": "123456789012", "requestID": "asd5f40-as6d540-a65d4f0-a6sd54f0", "requestParameters": { "GetManagedPrefixListEntriesRequest": { "PrefixListId": "pl-2sdf6511" } }, "responseElements": null, "sourceIPAddress": "10.10.10.41", "tlsDetails": { "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.eu-west-1.amazonaws.com", "tlsVersion": "TLSv1.2" }, "userAgent": "aws-sdk-java/1.12.150 Linux/5.4.190-107.353.amzn2.x86_64 OpenJDK_64-Bit_Server_VM/11.0.15+10 java/11.0.15 groovy/2.4.15 vendor/Eclipse_Adoptium cfg/retry-mode/legacy", "userIdentity": { "accessKeyId": "SLASLKMMAFLK54981AERHK651", "accountId": "123456789012", "arn": "arn:aws:sts::123456789012:assumed-role/CouldReadOnly/redlock", "principalId": "ADSF540TRY65410SD961S5:redlock", "sessionContext": { "attributes": { "creationDate": "2022-06-24T19:14:18Z", "mfaAuthenticated": "false" }, "sessionIssuer": { "accountId": "123456789012", "arn": "arn:aws:iam::123456789012:role/CouldReadOnly", "principalId": "ADSF540TRY65410SD961S5", "type": "Role", "userName": "CouldReadOnly" }, "webIdFederationData": {} }, "type": "AssumedRole" } } ]}
Sample Parsing¶
metadata.product_log_id = "asd63f5f4es06g540-a56dsg04-a5d6f04"
metadata.event_timestamp = "2022-06-24T19:26:00Z"
metadata.event_type = "RESOURCE_READ"
metadata.vendor_name = "AWS"
metadata.product_name = "Control Tower"
metadata.product_version = "1.08"
metadata.product_event_type = "GetManagedPrefixListEntries"
principal.hostname = "10.10.10.41"
principal.user.userid = "CouldReadOnly"
principal.user.attribute.labels.key = "type"
principal.user.attribute.labels.value = "AssumedRole"
principal.user.attribute.labels.key = "principalId"
principal.user.attribute.labels.value = "ADSF540TRY65410SD961S5:redlock"
principal.user.attribute.labels.key = "arn"
principal.user.attribute.labels.value = "arn:aws:sts::123456789012:assumed-role/CouldReadOnly/redlock"
principal.user.attribute.labels.key = "accountId"
principal.user.attribute.labels.value = "123456789012"
principal.user.attribute.labels.key = "accessKeyId"
principal.user.attribute.labels.value = "SLASLKMMAFLK54981AERHK651"
principal.application = "AwsApiCall"
principal.location.name = "eu-west-1"
principal.asset.hostname = "10.10.10.41"
target.user.userid = "123456789012"
observer.hostname = "ec2.amazonaws.com"
security_result.summary = "GetManagedPrefixListEntries"
network.http.user_agent = "aws-sdk-java/1.12.150 Linux/5.4.190-107.353.amzn2.x86_64 OpenJDK_64-Bit_Server_VM/11.0.15+10 java/11.0.15 groovy/2.4.15 vendor/Eclipse_Adoptium cfg/retry-mode/legacy"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon