In this lab we will walk through how to deploy an Elasticsearch cluster and configure the search index through
We will be effectively deploying the landing zone v2.3.1 centralized logging solution manually using StackSets. The AWS Centralized Logging solution used in landing zone is effectively the same version available publicly here.
Unzip the landing zone centralized logging add-on zip file you downloaded as part of pre-requisites in to a local directory on Linux or OSX OS.
unzip ~/Downloads/aws-centralized-logging-solution.zip -d ~/Downloads/aws-centralized-logging-solution
Windows Users : Use appropriate method to extract the content to a local directory.
Login using the SSO account-user created in the lab Deployment.
There are two methods to deploy the Centralized Logging.
We are going to use the aws-landing-zone-centralized-logging-primary.template
to deploy a single stack instance in the cross account audit account.
~/Downloads/aws-centralized-logging-solution/templates/core_accounts
aws-landing-zone-centralized-logging-primary.template
Use + addressing to enter your personal e-mail address, eg alias+ctclv2@amazon.com for both the Elasticsearch Domain Admin email address and the Cognito Admin email address.
Name | Value |
---|---|
StackSet description | default |
OrgID | organization ID (o-zzzzzzz) |
DemoVPC | default |
ClusterSize | small |
DemoSubnet | default |
DomainAdminEmail | ALIAS+ctlab24@amazon.com |
CognitoAdminEmail | ALIAS+ctlab24@amazon.com |
DemoTemplate | No |
DemoVPC | default |
DOMAINNAME | Initialscentralizedlogging |
— | —- |
IAM admin role ARN | AWSControlTowerStackSetRole |
IAM execution | AWSControlTowerExecution |
Account number | cross account audit account |
Specify regions | region with CT installed |
Deployment options | 1 , 1 |
Choose I acknowledge that AWS CloudFormation might create IAM resources with custom names. Choose I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
Click Next
Select “Deploy stacks in accounts” and enter the account number for the cross account audit account (AWS Organizations console)
Select the primary region where you have Control Tower deployed
Click Next
For IAM Admin Role ARN, select service-role AWSControlTowerStackSetRole
from drop down and AWSControlTowerExecution
for IAM Execution Role Name
Click Next
Acknowledge both IAM boxes
Click Submit
Wait for the stack instance to deploy (~15min). If you want to watch the progress, you can use SSO and use the administration console in the cross account audit account to watch the stack complete.
Navigate to the cross account audit account CloudFormation console and copy all of the outputs to a temporary notebook
Watch out the inbox of email address provided earlier for a temporary password and SNS Subscription Notification. We will use the password in next section and go ahead and subscribe for SNS notification.
We are going to use the aws-landing-zone-centralized-logging-spoke.template
to create the StackSet for deploying the spokes to the accounts in our organization.
Most customers should consider deploying the spoke stack in all of their accounts, since they are already keeping the logs from those accounts in the archive log bucket. However, for this lab, we are going to deploy to one account in the interest of time.
~/Downloads/aws-centralized-logging-solution/templates/aws_baseline
aws-landing-zone-centralized-logging-spoke.template
Use the primary region you used for Control Tower for the CloudTrailRegion
Name | Value |
---|---|
Elasticsearch Endpoint (ESDomain) | DomainEndpoint output value from the previous step |
Master Account Role | MasterRole output value from the previous step |
Cluster Size | small |
Sample Logs | No |
VPC CIDR for Sample Sources | default |
Subnet for Sample Web Server | default |
CloudTrailCloudWatchLogsGroupName | aws-controltower/CloudTrailLogs |
CloudTrailRegion | specify your region (e.g. us-east-1 ) |
IAM Admin Role ARN | AWSControlTowerStackSetRole |
IAM Execution Role Name | AWSControlTowerExecution |
Click Next
Select the audit account
Select the primary region you just entered as a parameter and click Add
Click Next
Acknowledge both IAM boxes
Click Create
Now wait (~1min) until at least one of the stack instances is complete before moving to the next step
You have completed the lab. For more on how to use Kibana see Kibana How To.