Consuming AWS Service Logs

Logs for AWS services managed by Stax are routed to logging accounts. Learn more about how to access these logs.

Article Tags
On This Page
Before you beginFinding the S3 bucket and SNS Topic for a ServiceSee Also

Stax provisions S3 buckets for storing AWS service logs as part of the Organization Assurance process.

For each of these services a bucket is created in the logging account. Each S3 bucket has a corresponding SNS topic which allows for receiving notifications when files are created. Subscribe to SNS topics to integrate these logs with other systems.

Before you begin

  • Time to complete: Approximately 5 minutes
  • Ensure you have access to log in to your organization's logging account with permissions to read content in S3 buckets

Finding the S3 bucket and SNS Topic for a Service

Each S3 bucket and SNS topic resides in your logging account. If you cannot access the logging account, contact an administrator of your Stax tenancy.

Once logged into the logging account, you can proceed to locate the S3 bucket and/or SNS topic. These buckets and topics include, for uniqueness, the UUID (UUIDv4) which represents your organization identifier.

AWS ServiceS3 BucketSNS Topic
AWS Config Servicestax-config-<org_id>stax-config-<org_id>
AWS SSM Session Managerstax-session-manager-<org_id>stax-session-manager-<org_id>
AWS Cloudtrailstax-cloudtrail-<org_id>cloudtrail-<org_id>

In each case above, the <org_id> placeholder is replaced by the UUID representing your Stax tenancy/AWS Organization within Stax.

The SNS topics for each service are encrypted using a KMS key with the same alias as the topic name.

Stax also provisions buckets which store the S3 access logs for these service buckets. This can be used to meet audit requirements. These are as follows:

AWS ServiceS3 Bucket
AWS Config Servicestax-config-accesslog-<org_id>
AWS SSM Session Managerstax-session-manager-accesslog-<org_id>
AWS Cloudtrailstax-cloudtrail-accesslog-<org_id>

See Also