Amazon Web Services (AWS), Logging Buckets
You might notice S3 buckets in your AWS account that can be used for logging. They have these names, one for each US region:
- uiuc-logs-(ACCOUNT_ID)-us-east-1 (N. Virginia)
- uiuc-logs-(ACCOUNT_ID)-us-east-2 (Ohio)
- uiuc-logs-(ACCOUNT_ID)-us-west-1 (N. California)
- uiuc-logs-(ACCOUNT_ID)-us-west-2 (Oregon)
These are provided for your to store your service logs in. You do not have to use them for logging, but you cannot delete or modify them.
Warning: if you account does not already have these buckets do not create them! As we move accounts to the new management the buckets will be created, and if they already exist this will slow the process of migrating your account. You should use different names for logging buckets you create.
Features of these logging buckets:
- Configured to securely store logs for AWS services.
- Retains logs for 90 days.
- Supports logging notifications via EventBridge.
- Can be updated as AWS recommendations change.
S3 Logging
Enabling Amazon S3 server access logging. The bucket policy and ACLs are already configured for you, you only need to enable server access logs.
- Under the bucket "Properties", "Server access logging", click the "Edit" button.
- Choose "Enable".
- For the "Target bucket", enter "s3://uiuc-logs-(ACCOUNT_ID)-(REGION)" where "(REGION)" is the same as the region of the bucket you're enabling logging for.
- We recommend also adding a prefix so it is easy to identify which bucket your logs came from. To match the scheme of other services, and example target with prefix is: s3://uiuc-logs-111111111111-us-east-2/AWSLogs/111111111111/s3/my-bucket-name/. Replace "111111111111" with your account ID and "my-bucket-name" with your bucket name.
- Click "Save changes" and you should see logs within 15 mins.
Application Load Balancer Logging
Enable access logs for your Application Load Balancer. The bucket policy is already configured for you, you only need to configure access logs.
- Under the load balancer "Attributes", click the "Edit" button.
- Under the "Monitoring" section, toggle "Access logs". This will show an "S3 URI" field.
- For the "S3 URI", enter "s3://uiuc-logs-(ACCOUNT_ID)-(REGION)" where "(REGION)" is the same as the region of the load balancer you're enabling logging for. You do not need to specify a prefix.
- Click "Save changes" and you should see logs within 15 mins.
Network Load Balancer Logging
Access logs for network load balancers only log TLS properties for TLS listeners. To log connections using the network load balancer you need to enable VPC Flow Logs.
VPC Flow Logs
Publish flow logs to Amazon S3. The bucket policy is already configured for you, you only need to create a flow log.
- You can create a flow log for a specific network interface (ENI), subnet, or the entire VPC. We recommend creating the flow log to capture traffic for the entire VPC, but if your use case is narrower you can reduce cost by creating the flow log on only specific resources.
- Find your VPC, select it, and under "Actions" click "Create flow log".
- Filter: we recommend selecting "All".
- Destination: Send to an Amazon S3 bucket.
- S3 bucket ARN: "arn:aws:s3:::uiuc-logs-(ACCOUNT_ID)-(REGION)", where "(REGION)" is the same as the region of the VPC, subnet, or ENI you're creating the flow log for. You do not need to specify a prefix.
- Log record format: AWS default format.
- The other setting defaults are fine.
- Click "Create flow log" and you should see logs within 15 mins.
CloudFront Logging
Configuring and using standard logs (access logs). The first time you configure a distribution for logging Amazon will configure the bucket for you.
- Select your distribution and under "General", "Settings", click the "Edit" button.
- Under "Standard Logging" select "On" and the "S3 Bucket" and "Log Prefix" settings will appear.
- S3 Bucket: uiuc-logs-(ACCOUNT_ID)-(REGION). CloudFront is a global service and can use any of our buckets for logging. We recommend using the bucket in "us-east-2" or "us-east-1".
- Log Prefix: we recommend also adding a prefix so it is easy to identify which distribution your logs came from. To match the scheme of other services, and example prefix is "AWSLogs/111111111111/cloudfront/example.illinois.edu/". Replace "111111111111" with your account ID and "example.illinois.edu" with the custom domain for your distribution.
- Click "Save changes". It can take 15 mins for AWS to update all distributions, and another 15 mins for logs to arrive.
CloudTrail Logging
All accounts have a provided CloudTrail that log API calls to a centrally managed bucket. If you want to access your own CloudTrail logs or need to collect data events using CloudTrail, then you can create a new CloudTrail. Warning: there are charges for additional CloudTrails, and the charges can be substantial when you are using Prisma Cloud on the account.
There are too many options in CloudTrail to cover in this KB Article. When selecting the destination bucket, choose the one that corresponds to the region the CloudTrail is in. You do not need to specify a prefix.
If you have questions, please contact aws-support@illinois.edu.