AWS Marketplace

Enhance AWS Control Tower multi-account observability with Sumo Logic

When running large scale applications and workloads in the cloud, customers need a streamlined visibility across their environment especially when these workloads are distributed among separate AWS accounts for regulatory, compliance, security, or cost tracking reasons.

AWS Control Tower simplifies and automates the account provisioning while maintaining a consistent baseline configuration with prescriptive blueprints and best practices. The log archive account of AWS Control Tower is designed to centralize the AWS CloudTrail and AWS Config log files from all member accounts. This model allows flexibility for further monitoring automation such as the Sumo Logic AWS Observability solution that we will cover in this blog.

Sumo Logic is an Advanced Technology Partner of AWS Partner Network (APN) in Security Information and Event Management (SIEM) solutions. The Sumo Logic AWS Observability solution is available in AWS Marketplace. It uses the centralized logging model of AWS Control Tower to build a unified operational and security view across a multi-account environment.

Prerequisites

Before getting started, you should have the following:

  1. A working version of AWS Control Tower environment. You can configure AWS Control Tower by following the Getting Started with AWS Control Tower documentation or Jeff Barr’s blog post.
  2. A Sumo Logic account that you can register for a 30-days trial access to Sumo Logic. A subscription to Sumo Logic Cloud-Native Machine Data Analytics Service is available in AWS Marketplace.

Solution overview

You can follow these steps to integrate AWS Control Tower with Sumo Logic:

  1. Deploy Sumo Logic AWS Observability app in each AWS Control Tower managed account
  2. Configure AWS Control Tower log archive account to collect additional logs
  3. Create a unified operational view in Sumo Logic
  4. Create a unified security view in Sumo Logic

As shown in the following architecture diagram, you deploy an AWS CloudFormation template to the log archive account and each member account. AWS CloudTrail logs from each member account are aggregated into a central Amazon S3 bucket, which resides in the log archive account. Once the appropriate rules are configured in the Sumo Logic console, the Sumo Logic collectors and sources start parsing AWS CloudTrail logs. They then populate metrics for your multi-account environment in the Sumo Logic AWS Observability dashboards.

Step 1: Deploy Sumo Logic AWS Observability app in each AWS Control Tower managed account

  1. Log in to to each AWS Control Tower managed member account that will be integrated with Sumo Logic AWS Observability solution. To launch a CloudFormation template that will install Sumo Logic AWS Observability app, choose the Launch Stack button.
  2. For Sumo Logic Access Configuration section, obtain the following information from your Sumo Logic console:
    • Sumo Logic Deployment Name that should reflect on your Sumo Logic console URL. For example, us2.
    • Sumo Logic Access ID and Sumo Logic Access Key. Create these by navigating to Administration, then Security, then Access Keys. Select Create.
    • Sumo Logic Organization Id which can be found under Administration, then Account.
  3. In AWS Account Alias, enter an alias for your AWS account.
  4. Select No for Sumo Logic AWS CloudTrail Source and keep default values for other options. Select checkboxes to confirm creation of appropriate IAM resources and allow CAPABILITY_AUTO_EXPAND. Choose Create stack. Sign out from member account once the stack creation complete.

Step 2: Configure AWS Control Tower log archive account to collect additional logs

  1. Log into to AWS Control Tower log archive account. To launch a CloudFormation template that set up the log archive account to collect additional logs, choose the Launch Stack button.
  2. In the Sumo Logic Access Configuration section, copy the following information from your Sumo Logic console:
    • Sumo Logic Deployment Name that should reflect on your Sumo Logic console URL. For example, us2.
    • Sumo Logic Access ID and Sumo Logic Access Key. Create these by navigating to Administration, then Security, then Access Keys. Select Create.
    • Sumo Logic Organization Id, which can be found under Administration and then Account.
  3. In AWS Account Alias, enter logarchive for your AWS account.
  4. For Sumo Logic AWS Observability Apps, select No.
  5. For Sumo Logic AWS CloudWatch Metrics and Inventory Source and Enable ALB Access logging, select None.
  6. For Create Sumo Logic ALB Logs Source and Yes for Sumo Logic AWS CloudTrail Source, select No.
  7. In Amazon S3 Bucket Name, enter the Amazon S3 bucket used by your AWS Control Tower log archive account. You can find the bucket name in the log archive account in this format: aws-controltower-logs-<accountid>-<region>.
  8. In Path Expression for existing CloudTrail logs, replace the default path expression with <sumologic-organization-id>/AWSLogs/*/CloudTrail/*/*.
  9. For Sumo Logic AWS Lambda CloudWatch Logs, select No. Keep other default values. To confirm creation of appropriate IAM resources and allow CAPABILITY_AUTO_EXPAND, select their respective checkboxes. Choose Create stack.

Step 3: Create a unified operational view in Sumo Logic

In Sumo Logic, configure a Field Extraction Rule (FER) to apply a tag on log files that are associated with the account alias that you have configured for each member account in Step 1.

  1. In a supported browser, log into to your Sumo Logic console as an administrator with Manage Field Extractions role capability.
  2. Navigate to Manage Data. Select Logs, choose Field Extraction Rules, and then select Add Rule. Provide the following information:
    • In Rule Name, enter AWS Accounts
    • In Scope, enter _sourceCategory=aws/observability/cloudtrail/log.
    • In Parse Expression, enter following parsed expression. Replace AWS Account ID and account alias you provided for each member account in Step 1. Append a new line of “if (recipientAccountId = “<aws_account_id>”, “<account_alias>”, account) as account” for each additional member account. For example:
| json "recipientAccountId"
// Manually map your aws account id with the AWS account alias you setup earlier for individual member account
| "" as account
| if (recipientAccountId = "<aws_account1_id>", "<account1_alias>", account) as account
| if (recipientAccountId = "<aws_account2_id>", "<account2_alias>", account) as account
| fields account 

Refer to the following image.

Now you can start monitoring AWS services across your AWS Control Tower multi-account environment.

  1. While you are still in Sumo Logic console, on top panel select New. Then select Explore.
  2. Choose the account alias that you configured in Step 1. Expand the AWS Region name. Now you can now monitor AWS service usage across your AWS multi-account environment within a centralized dashboard.

Step 4: Create a unified security view in Sumo Logic

To create a unified security view within Sumo Logic:

  1. Log in to to your Sumo Logic console as an administrator. Navigate to App Catalog and enter AWS CloudTrail in the search field.
  2. Select AWS CloudTrail, and then choose Add to Library.
  3. As the CloudTrail Log Source, select Source Category. For Source Category value, enter aws/observability/cloudtrail/logs.
  4. Navigate to folder where you installed the AWS CloudTrail app; the default folder is Personal.

You can now gain in-depth security insights such as geographical user distribution, security events, and resource utilization across your multi-account environment. The following screenshot shows an overview dashboard with a geographical map of global user usage. The right panes show a doughnut chart of created resources and a horizontal bar graph of deleted resources over time. Along the bottom, there is a bar chart of the top 10 users, a failed logins panel, and a doughnut chart of created and deleted network and security events.

Cleaning up

To avoid incurring future charges, you can remove example resources by deleting the CloudFormation stacks created in step 1 and 2 from the CloudFormation console. Alternatively, you can run the following AWS Command Line Interface (AWS CLI) command:

aws cloudformation delete-stack –stack-name <stack_name>

Conclusion

In this blog post, I showed how to streamline monitoring across your AWS Control Tower multi-account environment with the Sumo Logic AWS Observability solution, available in AWS Marketplace. You can easily navigate across aggregated logs from all member accounts to identify and resolve any potential technical issues. This helps you minimize downtime and improve system availability. Details about this solution can be found in Solutions for AWS Control Tower in AWS Marketplace.

For latest information on the Sumo Logic AWS Observability solution, see Sumo Logic documentation. To procure the software, visit the product page in AWS Marketplace.

About the author

Cher Simon is a Senior Solutions Architect at AWS. Cher enjoys working with AWS customers in solving architectural, operational, and cost optimization challenges.