Enable log forwarding

You can use either the Amazon Directory Service console or APIs to forward domain controller security event logs to Amazon CloudWatch Logs. This helps you to meet your security monitoring, audit, and log retention policy requirements by providing transparency of the security events in your directory.

CloudWatch Logs can also forward these events to other Amazon accounts, Amazon services, or third party applications. This makes it easier for you to centrally monitor and configure alerts to detect and respond proactively to unusual activities in near real time.

Once enabled, you can then use the CloudWatch Logs console to retrieve the data from the log group you specified when you enabled the service. This log group contains the security logs from your domain controllers.

For more information about log groups and how to read their data, see Working with log groups and log streams in the Amazon CloudWatch Logs User Guide.

Note

Log forwarding is a Regional feature of Amazon Managed Microsoft AD. If you are using Multi-Region replication, the following procedures must be applied separately in each Region. For more information, see Global vs Regional features.

To enable log forwarding

In the Amazon Directory Service console navigation pane, choose Directories.
Choose the directory ID of the Amazon Managed Microsoft AD directory that you want to share.
On the Directory details page, do one of the following:
- If you have multiple Regions showing under Multi-Region replication, select the Region where you want to enable log forwarding, and then choose the Networking & security tab. For more information, see Primary vs additional Regions.
- If you do not have any Regions showing under Multi-Region replication, choose the Networking & security tab.
In the Log forwarding section, choose Enable.
On the Enable log forwarding to CloudWatch dialog, choose either of the following options:
1. Select Create a new CloudWatch log group, under CloudWatch Log group name, specify a name that you can refer to in CloudWatch Logs.
2. Select Choose an existing CloudWatch log group, and under Existing CloudWatch log groups, select a log group from the menu.
Review the pricing information and link, and then choose Enable.

To disable log forwarding

In the Amazon Directory Service console navigation pane, choose Directories.
Choose the directory ID of the Amazon Managed Microsoft AD directory that you want to share.
On the Directory details page, do one of the following:
- If you have multiple Regions showing under Multi-Region replication, select the Region where you want to disable log forwarding, and then choose the Networking & security tab. For more information, see Primary vs additional Regions.
- If you do not have any Regions showing under Multi-Region replication, choose the Networking & security tab.
In the Log forwarding section, choose Disable.
Once you’ve read the information in the Disable log forwarding dialog, choose Disable.

Using the CLI to enable log forwarding

Before you can use the ds create-log-subscription command, you must first create an Amazon CloudWatch log group and then create an IAM resource policy that will grant the necessary permission to that group. To enable log forwarding using the CLI, complete all of the steps below.

Step 1: Create a log group in CloudWatch Logs

Create a log group that will be used to receive the security logs from your domain controllers. We recommend pre-pending the name with /aws/directoryservice/, but that is not required. For example:

EXAMPLE CLI COMMAND

aws logs create-log-group --log-group-name '/aws/directoryservice/d-9876543210'

EXAMPLE POWERSHELL COMMAND

New-CWLLogGroup -LogGroupName '/aws/directoryservice/d-9876543210'

For instructions on how to create a CloudWatch Logs group, see Create a log group in CloudWatch Logs in the Amazon CloudWatch Logs User Guide.

Step 2: Create a CloudWatch Logs resource policy in IAM

Create a CloudWatch Logs resource policy granting Amazon Directory Service rights to add logs into the new log group you created in Step 1. You can either specify the exact ARN to the log group to limit Amazon Directory Service’s access to other log groups or use a wild card to include all log groups. The following sample policy uses the wild card method to identify that all log groups that start with /aws/directoryservice/ for the Amazon account where your directory resides will be included.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ds.amazonaws.com"
            },
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:YOUR_REGION:YOUR_ACCOUNT_NUMBER:log-group:/aws/directoryservice/*"
        }
    ]
}

You will need to save this policy to a text file (for example DSPolicy.json) on your local workstation as you will need to run it from the CLI. For example:

EXAMPLE CLI COMMAND

aws logs put-resource-policy --policy-name DSLogSubscription --policy-document file://DSPolicy.json

EXAMPLE POWERSHELL COMMAND

$PolicyDocument = Get-Content .\DSPolicy.json –Raw

Write-CWLResourcePolicy -PolicyName DSLogSubscription -PolicyDocument $PolicyDocument

Step 3: Create an Amazon Directory Service log subscription

In this final step, you can now proceed to enable log forwarding by creating the log subscription. For example:

EXAMPLE CLI COMMAND

aws ds create-log-subscription --directory-id 'd-9876543210' --log-group-name '/aws/directoryservice/d-9876543210'

EXAMPLE POWERSHELL COMMAND

New-DSLogSubscription -DirectoryId 'd-9876543210' -LogGroupName '/aws/directoryservice/d-9876543210'

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Review your directory logs

Monitor your domain controllers with performance metrics