AWS Management Tower with CloudTrail Logs and Athena Not Working
I wrote about issues making an attempt to make use of AWS Athena with AWS CloudTrail when you’ve arrange your account with AWS Management Tower as soon as earlier than. That is my second try to get this working.
Right here’s the true drawback. Once you attempt to use Athena with CloudTrail it ought to work by default if in case you have entry to view the logs anyway or there needs to be some handy UI performance to make this work. As an alternative I’m getting errors with no clear decision as to easy methods to repair the issue from the documentation I’m discovering. I’m making hacker-like makes an attempt to resolve the issue however to this point I’ve not.
Mainly when I attempt to run a question utilizing AWS Athena I get this error:
Permission denied on S3 path: s3://aws-controltower-logs-xxxxxxxx/xxxxxxxxx/AWSLogs/xxxxxxxxx/CloudTrail/us-east-1/2022/02/03/xxxxxxxxxx_CloudTrail_us-east-xxxxx.json.gz. This question ran in opposition to the “default” database, except certified by the question. Please submit the error message on our discussion board or contact buyer help with Question Id: xxxxxxx
Concerning the finish of that error message: 1. ) I don’t wish to pay for help the place there isn’t a documentation and there appears to be a bug right here. 2.) I don’t wish to submit non-public account data in boards.
Let’s see if I can determine this out myself.
Why can’t I entry the S3 bucket ? Is it as a result of I’m utilizing AWS Management Tower?
Again to the documentation in quest of a solution. At first I regarded on the data for Management Tower however then I landed right here:
It seems just like the CloudTrail bucket by default has restricted permissions. I don’t recall after I taught easy methods to use Athena in my cloud safety class earlier than if I needed to manually go create permissions to permit Athena to entry the bucket. I must return and look since my mind has been on 1,000,000 different issues together with an Azure deep dive class (as a result of somebody requested). However right here’s the factor:
Why can’t the UI simply inform me I don’t have permission to entry the S3 bucket and ask me if I wish to add it and step me by way of it if I’m an administrator the account? Additionally, if I have already got entry to view the occasions within the UI, why can’t I've read-only entry to the CloudTrail bucket as a part of these permissions?
Alright, sufficient wishful considering. We have to get this working. Learn the documentation.
By default, Amazon S3 buckets and objects are non-public. Solely the useful resource proprietor (the AWS account that created the bucket) can entry the bucket and objects it incorporates.
If you’re utilizing AWS Management Tower, that might be the Management Tower Administrator account that created this account and it’s CloudTrail configuration.
The useful resource proprietor can grant entry permissions to different sources and customers by writing an entry coverage.
So is that this Entry coverage a Useful resource Coverage or an IAM Coverage? I presume it’s a useful resource coverage as a result of the consumer already has full permission to entry S3.
Subsequent the documentation factors to a hyperlink to create an organizational path on the command line. However right here’s the factor. This was all created with CloudFormation templates by Management Tower. In order that command line data isn’t useful. It looks like by some means I’ve to edit the CloudFormation Templates Management Tower makes use of to create this bucket.
Additionally, admittedly I scanned the documentation however I don’t see something about including a consumer to permit S3 bucket entry for Athena. Perhaps we are able to discover that someplace else.
That search leads me again to the Athena documentation which doesn’t tackle this challenge and it factors me again to the CloudTrail documentation.
Am I simply overthinking this? What if I simply replace the S3 bucket coverage? In fact that places my entire Management Tower configuration out of whack and I’ll most likely get drift errors however a minimum of I can see if I can entry the bucket:
AWS let me save the modifications.
That’s not a beneficial strategy, by the way in which. It’s simply that I can’t discover any documentation on how else to repair this and it’s taking too lengthy.
Again to CloudTrail and “Create Athena Desk.” Proper right here it ought to let you choose your current desk nevertheless it doesn’t. I might go over to Athena and attempt to discover my desk however I simply click on by way of the Wizard.
It tells me a bucket exists and now I get a button to go to Athena:
Once more with the permission error, however I most likely had my S3 path unsuitable.
I’ll copy the trail out of this error message and paste it into my bucket coverage.
Properly now that I’m truly wanting on the bucket ARN, it’s in one other account. Now I’ve to determine the place that’s. Again to the SSO dashboard. Ah, sure in fact. The Log Archive account. However that’s the place I used to be testing earlier than. Let’s take a look at that bucket coverage.
Okay now I bear in mind I manually arrange a brief CloudTrail log within the check account that’s why CloudFormation didn’t exist for that S3 bucket. I discovered the right bucket and the CloudFormation stack that deployed it within the Log Archive account.
So the query is, how can I edit the templates Management Tower used for deployment and redeploy simply this bucket?
I discovered this web page with the phrases “customise” and “Management Tower” in it.
It hyperlinks to this template on GitHub:
Holy moley. All that’s deployed in a single single template? That’s the reverse of how I deploy something with CloudFormation. It’s just like the monolithic architectures we tried to get away from with micro-services. I simply wish to edit one bucket coverage and I’ve to threat messing up that entire stack? And I don’t wish to work out that entire stack proper now as that’s not wherever close to my goal.
After I deploy CloudFormation, as I’ve been doing in my newest weblog sequence, I create easy templates for every useful resource so I can simply re-deploy it. I can check and re-deploy every part independently.
Properly, I’m not going to threat redeploying all of Management Tower proper now if I may even try this. I’m reconsidering my use of Management Tower at this second. Perhaps there’s a means to make use of the code however decouple it and deploy it myself. Undecided. Not the duty at hand.
For now, let’s see if I can edit the S3 bucket coverage manually as a result of I’m not making an attempt to jot down a sequence on Management Tower. I’m making an attempt to jot down about batch jobs. And proper now I simply wish to question the CloudTrail logs so I can present easy methods to create a zero belief IAM Coverage.
Mainly I’m going to see if I can insert my coverage into the S3 bucket wanting a greater possibility. You most likely can’t try this in a well-governed group, by the way in which.
Oh in fact. Entry denied. That’s good truly. That’s what Management Tower ought to do.
By the way in which, I already tried accessing Athena utilizing the Energy Consumer within the Management Tower Log Archive account and that consumer didn’t have entry both.
At this level I believe I’ve the next choices:
- Spend a lifetime making an attempt to determine if and the way I can customise the Management Tower CloudFormation to re-deploy this bucket coverage.
- Arrange a second CloudTrail in my check account and pay double for CloudTrail logs.
- See if I can entry the logs with administrator entry within the log archive account.
- Attempt to question CloudTrail with one thing apart from Athena.
Quantity three looks like the best regardless that it’s not a very good resolution in any respect for quite a few causes:
- I’ve to change backwards and forwards from my check account to the Log Archive account to check my modifications.
- If this was an enormous group you don’t wish to grant folks admin entry to the log archive account to allow them to question CloudFormation logs with Athena.
- In reality, you most likely wouldn’t wish to grant the folks writing insurance policies entry to the Log Archive account in any respect.
I’ve spent far too lengthy on this already. It is a drawback for an additional day. Let’s see if giving myself admin entry for now works.
And…it takes me like 20 tries to determine easy methods to add the permissions as all the time as a result of AWS SSO is so complicated. The UI and the relationships between issues is so disconnected however I jumped round backwards and forwards to see various things and figured it out.
Sure, I do know, it could be simpler and higher to only automate creating SSO customers I simply haven’t had time but, I haven't got an enormous group, and I'm simply testing.
Refresh the SSO web page and login to the AWS Log Archive account as admin. Go to CloudTrail. Repeat the steps to create an AWS Athena Desk.
Now the factor is, querying this path goes to be a bit extra difficult as a result of it’s not only a single account. It’s your complete group.
And….I nonetheless can’t entry the CloudTrail bucket. I nonetheless get the permission error on the S3 bucket regardless that I’m an admin. Wanting on the coverage I don’t see how the permissions will work with Athena, and at the same time as and administrator I can’t change them most likely as a result of a Service Management Coverage (SCP) in Management Tower — which is nice — besides that I want to have the ability to change it to make this work if that’s the challenge.
I believe my subsequent strategy shall be to jot down AWS CLI scripts to entry CloudFormation as that is taking means an excessive amount of time.
It seems like I can question CloudTrail with CloudTrail Lake.
However in fact there’s a price related to that:
Examine that to Athena:
Appears to be like prefer it will depend on the quantity of knowledge. For me I’ve a low quantity of knowledge and I believe Lake shall be cheaper. However now I’ve a query. Am I paying for Athena for all these queries that failed? I’ve to determine easy methods to delete all that now.
I do know Athena and CloudTrail was on the AWS safety examination in some unspecified time in the future (based mostly on critiques by others I haven’t taken it) however I ponder if organizations are literally utilizing it in the event that they use Management Tower.
Looks as if this could all be a bit extra intuitive.
Teri Radichel
In the event you preferred this story please clap and comply with:
Medium: Teri Radichel or Electronic mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies by way of LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
____________________________________________
Writer:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, shows, and podcasts
