Logging and Permissions
Details on Log Groups and Console + Agent Permissions
Platform Services
While many services are used (ECS Fargate, App Config, CloudWatch, CloudFormation, DynamoDB, SNS, SQS, IAM) to deliver the Antivirus for Amazon S3 solution, two will be called out here. CloudWatch and IAM are leveraged for logging and permissions respectively. These are the usual questions we get from customers:
How do I check the logs?
What are you doing behind the scenes (permissions wise)?
We wanted to make sure you had those bases covered with the information below.
CloudWatch Log Group Overview
Log groups for the Console
AgentConfig
Logs of changes to agent configuration performed through the console.
2020-08-19T23:01:08.246-06:00 2020-08-20 05:01:08.2466|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'ap-northeast-1': {"region":"ap-northeast-1","vpcId":"vpc-6902080e","subnets":[{"subnetId":"subnet-1673ac3d","availabilityZone":"ap-northeast-1d","cidrBlock":"172.31.16.0/20"},{"subnetId":"subnet-bd66b2f5","availabilityZone":"ap-northeast-1a","cidrBlock":"172.31.32.0/20"}]}
2020-08-19T23:01:08.322-06:00 2020-08-20 05:01:08.3225|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'eu-west-3': {"region":"eu-west-3","vpcId":"vpc-e9677880","subnets":[{"subnetId":"subnet-232b114a","availabilityZone":"eu-west-3a","cidrBlock":"172.31.0.0/20"},{"subnetId":"subnet-266a0c6b","availabilityZone":"eu-west-3c","cidrBlock":"172.31.32.0/20"}]}
2020-08-19T23:01:08.409-06:00 2020-08-20 05:01:08.4092|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-1': {"region":"us-west-1","vpcId":"vpc-1c55a17a","subnets":[{"subnetId":"subnet-b8c563de","availabilityZone":"us-west-1b","cidrBlock":"172.31.16.0/20"},{"subnetId":"subnet-3c59aa66","availabilityZone":"us-west-1a","cidrBlock":"172.31.0.0/20"}]}
2020-08-19T23:01:08.490-06:00 2020-08-20 05:01:08.4899|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-2':
{
"region": "us-west-2",
"vpcId": "vpc-2f007457",
"subnets": [
{
"subnetId": "subnet-f6f91abc",
"availabilityZone": "us-west-2a",
"cidrBlock": "172.31.32.0/20"
},
{
"subnetId": "subnet-f0408688",
"availabilityZone": "us-west-2b",
"cidrBlock": "172.31.16.0/20"
}
]
}
2020-08-20 05:01:08.4899|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-2': {"region":"us-west-2","vpcId":"vpc-2f007457","subnets":[{"subnetId":"subnet-f6f91abc","availabilityZone":"us-west-2a","cidrBlock":"172.31.32.0/20"},{"subnetId":"subnet-f0408688","availabilityZone":"us-west-2b","cidrBlock":"172.31.16.0/20"}]}Buckets
Logs of changes to bucket protection status and any errors that may occur while trying to turn on/off buckets.
2020-08-13T10:31:12.309-06:00 2020-08-13 16:31:12.3094|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-13T10:39:55.290-06:00 2020-08-13 16:39:55.2901|INFO|Buckets|Turned off protection for bucket 'css-webinar-new-files'
2020-08-13T10:47:56.726-06:00 2020-08-13 16:47:56.7262|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-13T10:59:48.397-06:00 2020-08-13 16:59:48.3969|INFO|Buckets|Turned off protection for bucket 'css-webinar-new-files'
2020-08-13T11:36:53.512-06:00 2020-08-13 17:36:53.5125|INFO|Buckets|Turned on protection for bucket 'webinar-other-account-bucket'
2020-08-13T11:36:56.921-06:00 2020-08-13 17:36:56.9212|INFO|Buckets|Turned on protection for bucket 'webinar-other-account-bucket-2'
2020-08-13T12:26:51.700-06:00 2020-08-13 18:26:51.7006|INFO|Buckets|Turned on protection for bucket 'css-webinar-existing-files'
2020-08-13T12:27:18.104-06:00 2020-08-13 18:27:18.1044|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-17T15:53:25.588-06:00 2020-08-17 21:53:25.5884|INFO|Buckets|Turned off protection for bucket '100kb-bucket'
2020-08-17T15:53:25.755-06:00 2020-08-17 21:53:25.7552|INFO|Buckets|Turned off protection for bucket 'demo-destination-bucket'EcsConfig
Logs of actions taken to enable or disable Agents in a region. This includes creation of clusters, task definitions, services, sns topics, sqs queues, quarantine buckets, and autoscaling policies.
2020-08-21T13:19:45.296-06:00 2020-08-21 19:19:45.2960|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:45.296-06:00 2020-08-21 19:19:45.2960|INFO|EcsConfig|Set Large Queue threshold to '1' in us-west-1
2020-08-21T13:19:45.331-06:00 2020-08-21 19:19:45.3307|INFO|EcsConfig|Setting Large Queue threshold to '1' in ap-northeast-1
2020-08-21T13:19:45.331-06:00 2020-08-21 19:19:45.3307|INFO|EcsConfig|Putting a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.136-06:00 2020-08-21 19:19:46.1364|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.136-06:00 2020-08-21 19:19:46.1364|INFO|EcsConfig|Set Large Queue threshold to '1' in ap-northeast-1
2020-08-21T13:19:46.195-06:00 2020-08-21 19:19:46.1947|INFO|EcsConfig|Setting Large Queue threshold to '1' in us-west-2
2020-08-21T13:19:46.195-06:00 2020-08-21 19:19:46.1947|INFO|EcsConfig|Putting a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.556-06:00 2020-08-21 19:19:46.5567|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.556-06:00 2020-08-21 19:19:46.5567|INFO|EcsConfig|Set Large Queue threshold to '1' in us-west-2
2020-08-21T13:19:58.631-06:00 2020-08-21 19:19:58.6311|INFO|EcsConfig|Setting Min and Max agents to '0' and '3' respectively in us-east-1
2020-08-21T13:19:58.908-06:00 2020-08-21 19:19:58.9080|INFO|EcsConfig|Set Min and Max agents to '0' and '3' respectively in us-east-1
2020-08-21T13:20:09.553-06:00 2020-08-21 19:20:09.5536|INFO|EcsConfig|Setting Min and Max agents to '0' and '1' respectively in us-east-1
2020-08-21T13:20:09.826-06:00 2020-08-21 19:20:09.8262|INFO|EcsConfig|Set Min and Max agents to '0' and '1' respectively in us-east-1RetroScan
Logs of when retro scanning starts and finishes per bucket as well as when queue entries are added.
System
Logs of general Console system information and errors and the return of the entitlement verification.
Log groups for the Agent
ScanConfig
Scan settings for the agent.
Settings include, but are not limited to:
Tags for the objects scanned
Actions taken on objects
Scan and skip lists
Bucket handling configuration
Classification Rules configuration for DLP
Note that the following snippet below has been shortened for brevity.
ScanStatistics
Every-hour statistics of an agents activity for each bucket being monitored. These include the number of files scanned, the number of clean/infected/error files, and the total bytes scanned.
Log groups for ECS
As of version 6.06 we enable ECS logging by default. These logs will be shown in the following log groups.
For each of these log groups you will see your seven character application ID in the title of each log group as noted below by the AppID between the ECS and type of ECS service the log is for.
IAM Permissions Review
We have been able to simplify the management and delivery of the solution such that there are very few tasks the administrator is required to perform inside the AWS Console. As a result, the Console and EventAgent have a number of permissions assigned to them within their respective roles to allow them to perform the actions needed on your behalf. In all cases, we went with a least privilege model wherever possible. There are a few instances where we have assigned * when it is required. Below you will find a review of the two IAM Roles we create and assign to the Console and scanning Agents.
Please review and Contact Us if you have any questions we can clear up for you.
The permission descriptions below follow the format:
Permissions Policies
Console Role
Console Role Customer Inline Policies
Console Role Customer Managed Policies
Last updated