Aws graylog pluging with multiple accounts

naggappan · June 29, 2018, 8:23am

Hi I used graylog aws plugin and able to make it work. Now when I wanted to use the same gray log server from multiple accounts I tried the following,

crate a s3 bucket with permission from different accounts and that works.
Now all cloud trial logs comes to the above account, But graylog aws plugin needs sns also so I created a SNS topic with below permissions still when I enable cloud trial it acceps cross account s3 bucket but not the SNS

{
“Version”:“2012-10-17”,
“Id”:“AWSAccountTopicAccess”,
“Statement” :[
{
“Sid”:“give-1234-publish”,
“Effect”:“Allow”,
“Principal” :{
“AWS”:“My-different-account-id-from-where-cloud-trial-send-logs”
},
“Action”:[“sns:Publish”],
“Resource”:“arn:aws:sns:us-east-1:actual-account-id-graylog-server-use-this-credentials:my-topic”
}
]
}

jan · June 29, 2018, 9:39am

something like that is currently not supported. You can open a feature request over at github:

naggappan · June 29, 2018, 10:00am

but in aws docs page it is saying cross account SNS is supported right?

So if this is not the case do you have any idea how can i get all logs to graylog from different account ?

tryone · June 29, 2018, 4:05pm

Hi, Try adding the account numbers in the basic tab,Only these AWS users, on the SNS Topic Policy, Allow these users to publish messages to this topic. Do this before specifying the SNS topic’s ARN in the Cloudtrail setup in the source account.

naggappan · July 2, 2018, 6:59am

Hi I deleted my SNS toppic in my master account and then creatd a new one, In basic tab gave 2 AWS account ID’s.
Then in other aws account deleted the existing cloud trial and created a new one with this ARS as “arn:aws:sns:us-east-1:XXXXXXXX:mycustomer” or only with “mycustomer” still it says to check SNS topic policy.
Does AWS really support cross account SNS for cloud trial ?

Steps tried for policy as here: https://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage_UseCases_Sns.html

tryone · July 2, 2018, 8:27am

This sort of centralized Logging in AWS works fine and is the suggested architecture put forward by AWS. Review the AWS documentation for
this at https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-permissions-for-sns-notifications.html

system · July 16, 2018, 8:27am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use this fix #36 with graylog for multiple AWS accounts? Graylog Add-ons	3	1000	August 23, 2017
AWS Cross Account Cloudtrails Parsing Graylog Add-ons	1	844	June 6, 2017
Cloudtrail integration with Graylog Graylog Central (peer support)	4	1881	February 14, 2018
Split multiple events into separate logs Graylog Central (peer support)	4	1358	March 15, 2018
Integrate Oracle cloud Audit logs to Graylog Graylog Central (peer support)	2	876	May 13, 2020

Aws graylog pluging with multiple accounts

Related topics