Summary Prerequisites and limitations Architecture Tools Best practices Epics Troubleshooting Related resources

Set up centralized logging at enterprise scale by using Terraform

Aarti Rajput, Yashwant Patel, and Nishtha Yadav, Amazon Web Services

Summary

Centralized logging is vital for an organization's cloud infrastructure, because it provides visibility into its operations, security, and compliance. As your organization scales its AWS environment across multiple accounts, a structured log management strategy becomes fundamental for running security operations, meeting audit requirements, and achieving operational excellence.

This pattern provides a scalable, secure framework for centralizing logs from multiple AWS accounts and services, to enable enterprise-scale logging management across complex AWS deployments. The solution is automated by using Terraform, which is an infrastructure as code (IaC) tool from HashiCorp that ensures consistent and repeatable deployments, and minimizes manual configuration. By combining Amazon CloudWatch Logs, Amazon Data Firehose, and Amazon Simple Storage Service (Amazon S3), you can implement a robust log aggregation and analysis pipeline that delivers:

Centralized log management across your organization in AWS Organizations
Automated log collection with built-in security controls
Scalable log processing and durable storage
Simplified compliance reporting and audit trails
Real-time operational insights and monitoring

The solution collects logs from Amazon Elastic Kubernetes Service (Amazon EKS) containers, AWS Lambda functions, and Amazon Relational Database Service (Amazon RDS) database instances through CloudWatch Logs. It automatically forwards these logs to a dedicated logging account by using CloudWatch subscription filters. Firehose manages the high-throughput log streaming pipeline to Amazon S3 for long-term storage. Amazon Simple Queue Service (Amazon SQS) is configured to receive Amazon S3 event notifications upon object creation. This enables integration with analytics services, including:

Amazon OpenSearch Service for log search, visualization, and real-time analytics
Amazon Athena for SQL-based querying
Amazon EMR for large-scale processing
Lambda for custom transformation
Amazon QuickSight for dashboards

All data is encrypted by using AWS Key Management Service (AWS KMS), and the entire infrastructure is deployed by using Terraform for consistent configuration across environments.

This centralized logging approach enables organizations to improve their security posture, maintain compliance requirements, and optimize operational efficiency across their AWS infrastructure.

Prerequisites and limitations

Prerequisites

A landing zone for your organization that's built by using AWS Control Tower
Account Factory for Terraform (AFT), deployed and configured with required accounts
Terraform for provisioning the infrastructure
AWS Identity and Access Management (IAM) roles and policies for cross-account access

For instructions for setting up AWS Control Tower, AFT, and Application accounts, see the Epics section.

Required accounts

Your organization in AWS Organizations should include these accounts:

Application account – One or more source accounts where the AWS services (Amazon EKS, Lambda, and Amazon RDS) run and generate logs
Log Archive account – A dedicated account for centralized log storage and management

Product versions

AWS Control Tower version 3.1 or later
Terraform version 0.15.0 or later

Architecture

The following diagram illustrates an AWS centralized logging architecture that provides a scalable solution for collecting, processing, and storing logs from multiple Application accounts into a dedicated Log Archive account. This architecture efficiently handles logs from AWS services, including Amazon RDS, Amazon EKS, and Lambda, and routes them through a streamlined process to Regional S3 buckets in the Log Archive account.

The workflow includes five processes:

Log flow process
- The log flow process begins in the Application accounts, where AWS services generate various types of logs, such as general, error, audit, slow query logs from Amazon RDS, control plane logs from Amazon EKS, and function execution and error logs from Lambda.
- CloudWatch serves as the initial collection point. It gathers these logs at the log group level within each application account.
- In CloudWatch, subscription filters determine which logs should be forwarded to the central account. These filters give you granular control over log forwarding, so you can specify exact log patterns or complete log streams for centralization.
Cross-account log transfer
- Logs move to the Log Archive account. CloudWatch subscription filters facilitate the cross-account transfer and preserve Regional context.
- The architecture establishes multiple parallel streams to handle different log sources efficiently, to ensure optimal performance and scalability.
Log processing in the Log Archive account
- In the Log Archive account, Firehose processes the incoming log streams.
- Each Region maintains dedicated Firehose delivery streams that can transform, convert, or enrich logs as needed.
- These Firehose streams deliver the processed logs to S3 buckets in the Log Archive account, which is located in the same Region as the source Application accounts (Region A in the diagram) to maintain data sovereignty requirements.
Notifications and additional workflows
- When logs reach their destination S3 buckets, the architecture implements a notification system by using Amazon SQS.
- The Regional SQS queues enable asynchronous processing and can trigger additional workflows, analytics, or alerting systems based on the stored logs.
AWS KMS for security
The architecture incorporates AWS KMS for security. AWS KMS provides encryption keys for the S3 buckets. This ensures that all stored logs maintain encryption at rest while keeping the encryption Regional to satisfy data residency requirements.

Tools

AWS services

Amazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events. It provides a unified view of AWS resources, applications, and services that run on AWS and on-premises servers.
CloudWatch Logs subscription filters are expressions that match a pattern in incoming log events and deliver matching log events to the specified AWS resource for further processing or analysis.
AWS Control Tower Account Factory For Terraform (AFT) sets up a Terraform pipeline to help you provision and customize accounts in AWS Control Tower. AFT provides Terraform-based account provisioning while allowing you to govern your accounts with AWS Control Tower.
Amazon Data Firehose delivers real-time streaming data to destinations such as Amazon S3, Amazon Redshift, and Amazon OpenSearch Service. It automatically scales to match the throughput of your data and requires no ongoing administration.
Amazon Elastic Kubernetes Service (Amazon EKS) is a managed container orchestration service that makes it easy to deploy, manage, and scale containerized applications by using Kubernetes. It automatically manages the availability and scalability of the Kubernetes control plane nodes.
AWS Key Management Service (AWS KMS) creates and controls encryption keys for encrypting your data. AWS KMS integrates with other AWS services to help you protect the data you store with these services.
AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. It automatically scales your applications by running code in response to each trigger, and charges only for the compute time that you use.
Amazon Relational Database Service (Amazon RDS) is a managed relational database service that makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks.
Amazon Simple Queue Service (Amazon SQS) is a message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. It eliminates the complexity of managing and operating message-oriented middleware.
Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that offers scalability, data availability, security, and performance. It can store and retrieve any amount of data from anywhere on the web.

Other tools

Terraform is an infrastructure as code (IaC) tool from HashiCorp that helps you create and manage cloud and on-premises resources.

Code

The code for this pattern are available in the GitHub Centralized logging repository.

Best practices

Use multiple AWS accounts in a single organization in AWS Organizations. This practice enables centralized management and standardized logging across accounts.
Configure S3 buckets with versioning, lifecycle policies, and cross-Region replication. Implement encryption and access logging for security and compliance.
Implement common logging standards by using JSON format with standard timestamps and fields. Use a consistent prefix structure and correlation IDs for easy tracking and analysis.
Enable security controls with AWS KMS encryption and least privilege access. Maintain AWS CloudTrail monitoring and regular key rotation for enhanced security.
Set up CloudWatch metrics and alerts for delivery tracking. Monitor costs and performance with automated notifications.
Configure Amazon S3 retention policies to meet compliance requirements and enable Amazon S3 server access logging to track all requests made to your S3 buckets. Maintain documentation for S3 bucket policies and lifecycle rules. Conduct periodic reviews of access logs, bucket permissions, and storage configurations to help ensure compliance and security best practices.

Epics

Task	Description	Skills required
Set up an AWS Control Tower environment with AFT.	Deploy AWS Control Tower by following the instructions in the AWS Control Tower documentation. Deploy AFT by following the instructions in the AWS Control Tower documentation.	AWS administrator
Enable resource sharing for the organization.	Configure AWS Command Line Interface (AWS CLI) with management account credentials, which provide administrative permissions to manage AWS Control Tower. Run the following AWS CLI command in any AWS Region: `aws ram enable-sharing-with-aws-organization` This enables resource sharing within your organization in AWS Organizations across all Regions that support AWS Resource Access Manager (AWS RAM).	AWS administrator
Verify or provision Application accounts.	To provision new Application accounts for your use case, create them through AFT. For more information, see Provision a new account with AFT in the AWS Control Tower documentation.	AWS administrator

Task Description Skills required

Task	Description	Skills required
Copy `Application_account` folder contents into the `aft-account-customizations` repository.	Create a folder named `Application_account` in the root path of the `aft-account-customizations` repository. This repository is created automatically when you set up AFT (see the previous epic). Navigate to the root directory of the centralised-logging-at-enterprise-scale-using-terraform repository, copy the contents of the `aft/account` directory, and then paste them into the `Application_account` directory that you created in step 1 in the `aft-account-customizations` repository. From the root directory of the `centralised-logging-at-enterprise-scale-using-terraform` repository, copy the contents of the `Application_account` directory into the `Application_account/terraform` directory in the `aft-account-customizations` repository. In the `aft-account-customizations/Application_account/terraform.tfvars` file, confirm that all parameters are passed as arguments in the corresponding Terraform configuration files.	DevOps engineer
Review and edit the input parameters for setting up the Application account.	In this step, you set up the configuration file for creating resources in Application accounts, including CloudWatch log groups, CloudWatch subscription filters, IAM roles and policies, and configuration details for Amazon RDS, Amazon EKS, and Lambda functions. In your `aft-account-customizations` repository, in the `Application_account` folder, configure the input parameters in the `terraform.tfvars` file based on your organization's requirements: `environment`: The name of the environment (for example, `prod`, `dev`, `staging`) where the resources will be deployed. `account_name`: The name of the AWS account where the resources will be created. `log_archive_account_id`: The AWS account ID where logs will be archived. `admin_role_name`: The name of the administrative role that will be used for managing resources. `tags`: A map of key-value pairs that represent common tags to be applied to all resources. `rds_config`: An object that contains configuration details for Amazon RDS instances. `allowed_cidr_blocks`: A list of CIDR blocks that are allowed to access the resources. `destination_name:` A variable that is used to create the Amazon Resource Name (ARN) of the CloudWatch destination where logs will be streamed. `rds_parameters:` An object that contains Amazon RDS parameter group settings. `vpc_config`: An object that contains VPC configuration details. `eks_config`: An object that contains configuration details for Amazon EKS clusters. `lambda_config`: An object that contains configuration details for Lambda functions. `restrictive_cidr_range`: A list of restrictive CIDR ranges for security group rules. `target_account_id`: The AWS account ID of the target Log Archive account where resources will be deployed.	DevOps engineer

Copy Application_account folder contents into the aft-account-customizations repository.

Create a folder named Application_account in the root path of the aft-account-customizations repository. This repository is created automatically when you set up AFT (see the previous epic).
Navigate to the root directory of the centralised-logging-at-enterprise-scale-using-terraform repository, copy the contents of the aft/account directory, and then paste them into the Application_account directory that you created in step 1 in the aft-account-customizations repository.
From the root directory of the centralised-logging-at-enterprise-scale-using-terraform repository, copy the contents of the Application_account directory into the Application_account/terraform directory in the aft-account-customizations repository.
In the aft-account-customizations/Application_account/terraform.tfvars file, confirm that all parameters are passed as arguments in the corresponding Terraform configuration files.

DevOps engineer

Review and edit the input parameters for setting up the Application account.

In this step, you set up the configuration file for creating resources in Application accounts, including CloudWatch log groups, CloudWatch subscription filters, IAM roles and policies, and configuration details for Amazon RDS, Amazon EKS, and Lambda functions.

In your aft-account-customizations repository, in the Application_account folder, configure the input parameters in the terraform.tfvars file based on your organization's requirements:

environment: The name of the environment (for example, prod, dev, staging) where the resources will be deployed.
account_name: The name of the AWS account where the resources will be created.
log_archive_account_id: The AWS account ID where logs will be archived.
admin_role_name: The name of the administrative role that will be used for managing resources.
tags: A map of key-value pairs that represent common tags to be applied to all resources.
rds_config: An object that contains configuration details for Amazon RDS instances.
allowed_cidr_blocks: A list of CIDR blocks that are allowed to access the resources.
destination_name: A variable that is used to create the Amazon Resource Name (ARN) of the CloudWatch destination where logs will be streamed.
rds_parameters: An object that contains Amazon RDS parameter group settings.
vpc_config: An object that contains VPC configuration details.
eks_config: An object that contains configuration details for Amazon EKS clusters.
lambda_config: An object that contains configuration details for Lambda functions.
restrictive_cidr_range: A list of restrictive CIDR ranges for security group rules.
target_account_id: The AWS account ID of the target Log Archive account where resources will be deployed.

DevOps engineer

Task Description Skills required

Task	Description	Skills required
Copy `Log_archive_account` folder contents into the `aft-account-customizations` repository.	Create a folder named `Log_archive_account` in the root path of the `aft-account-customizations` repository, This repository is created automatically when you set up AFT. Navigate to the root directory of the `centralised-logging-at-enterprise-scale-using-terraform` repository, copy the contents of the `aft/account` directory, and then paste them into the `Log_archive_account` directory that you created in the previous step in the `aft-account-customizations` repository. From the root directory of the `centralised-logging-at-enterprise-scale-using-terraform` repository, copy the contents of the `Log_archive_account` directory into the `Log_archive_account/terraform` directory in the `aft-account-customizations` repository. In the `aft-account-customizations/Log_archive_account/terraform.tfvars` file, confirm that all parameters are passed as arguments in the corresponding Terraform configuration files.	DevOps engineer
Review and edit the input parameters for setting up the Log Archive account.	In this step, you set up the configuration file for creating resources in the Log Archive account, including Firehose delivery streams, S3 buckets, SQS queues, and IAM roles and policies. In the `Log_archive_account` folder of your `aft-account-customizations` repository, configure the input parameters in the `terraform.tfvars` file based on your organization's requirements: `environment`: The name of the environment (for example, `prod`, `dev`, `staging`) where the resources will be deployed. `destination_name`: A variable that is used to create the ARN of the CloudWatch destination where logs will be streamed. `source_account_ids`: A list of AWS account IDs that are allowed to put subscription filters on the log destination. You can input as many account IDs as you want to enable for centralized logging.	DevOps engineer

Copy Log_archive_account folder contents into the aft-account-customizations repository.

Create a folder named Log_archive_account in the root path of the aft-account-customizations repository, This repository is created automatically when you set up AFT.
Navigate to the root directory of the centralised-logging-at-enterprise-scale-using-terraform repository, copy the contents of the aft/account directory, and then paste them into the Log_archive_account directory that you created in the previous step in the aft-account-customizations repository.
From the root directory of the centralised-logging-at-enterprise-scale-using-terraform repository, copy the contents of the Log_archive_account directory into the Log_archive_account/terraform directory in the aft-account-customizations repository.
In the aft-account-customizations/Log_archive_account/terraform.tfvars file, confirm that all parameters are passed as arguments in the corresponding Terraform configuration files.

DevOps engineer

Review and edit the input parameters for setting up the Log Archive account.

In this step, you set up the configuration file for creating resources in the Log Archive account, including Firehose delivery streams, S3 buckets, SQS queues, and IAM roles and policies.

In the Log_archive_account folder of your aft-account-customizations repository, configure the input parameters in the terraform.tfvars file based on your organization's requirements:

environment: The name of the environment (for example, prod, dev, staging) where the resources will be deployed.
destination_name: A variable that is used to create the ARN of the CloudWatch destination where logs will be streamed.
source_account_ids: A list of AWS account IDs that are allowed to put subscription filters on the log destination. You can input as many account IDs as you want to enable for centralized logging.

DevOps engineer

Task Description Skills required

Task	Description	Skills required
Option 1 - Deploy the Terraform configuration files from AFT.	In AFT, the AFT pipeline is triggered after you push the code with the configuration changes to the GitHub `aft-account-customizations` repository. AFT automatically detects the changes and initiates the account customization process. After you make changes to your Terraform (`terraform.tfvars`) files, commit and push your changes to your `aft-account-customizations` repository: `$ git add * $ git commit -m "update message" $ git push origin main` Note If you're using a different branch (such as `dev`), replace `main` with your branch name.	DevOps engineer
Option 2 - Deploy the Terraform configuration file manually.	If you aren't using AFT or you want to deploy the solution manually, you can use the following Terraform commands from the `Application_account` and `Log_archive_account` folders: Clone the GitHub repository and configure the input parameters in the `terraform.tfvars` file. Run the following command: `$ terraform init` Preview changes: `$ terraform plan` This command evaluates the Terraform configuration to determine the desired state of the resources and compares it with the current state of your infrastructure. Apply changes: `$ terraform apply` Review the planned changes and type yes at the prompt to proceed with the application.	DevOps engineer

Option 1 - Deploy the Terraform configuration files from AFT.

In AFT, the AFT pipeline is triggered after you push the code with the configuration changes to the GitHub aft-account-customizations repository. AFT automatically detects the changes and initiates the account customization process.

After you make changes to your Terraform (terraform.tfvars) files, commit and push your changes to your aft-account-customizations repository:


$ git add *
$ git commit -m "update message"
$ git push origin main

Note

If you're using a different branch (such as dev), replace main with your branch name.

DevOps engineer

Option 2 - Deploy the Terraform configuration file manually.

If you aren't using AFT or you want to deploy the solution manually, you can use the following Terraform commands from the Application_account and Log_archive_account folders:

Clone the GitHub repository and configure the input parameters in the terraform.tfvars file.
Run the following command:
```
$ terraform init
```
Preview changes:
```
$ terraform plan
```
This command evaluates the Terraform configuration to determine the desired state of the resources and compares it with the current state of your infrastructure.
Apply changes:
```
$ terraform apply
```
Review the planned changes and type yes at the prompt to proceed with the application.

DevOps engineer

Task	Description	Skills required
Verify subscription filters.	To verify that the subscription filters forward logs correctly from the Application account log groups to the Log Archive account: In the Application account, open the CloudWatch console. In the left navigation pane, choose Log groups. Select each log group (`/aws/rds`, `/aws/eks`, `/aws/lambda`) and choose the Subscription filters tab. You should see active subscription filters that point to the destination ARN, based on the name that you specified in the Terraform configuration file. Choose any subscription filter to verify its configuration and status.	DevOps engineer
Verify Firehose streams.	To verify that the Firehose streams in the Log Archive account process application logs successfully: In the Log Archive account, open the Firehose console. In the left navigation pane, choose Firehose streams. Choose any Firehose streams and verify the following: The destination shows the correct S3 bucket. The Monitoring tab shows successful delivery metrics. The recent delivery timestamp is current.	DevOps engineer
Validate the centralized S3 buckets.	To verify that the centralized S3 buckets receive and organize logs properly: In the Log Archive account, open the Amazon S3 console. Select each central logging bucket. Navigate through the folder structure: AWSLogs/AccountID/Region/Service. You should see log files organized by timestamp (YYYY/MM/DD/HH). Choose any recent log file and verify its format and data integrity.	DevOps engineer
Validate SQS queues.	To verify that the SQS queues receive notifications for new log files: In the Log Archive account, open the Amazon SQS console. In the left navigation pane, choose Queues. Select each configured queue and choose Send and receive messages. You should see messages that contain S3 event notifications for new log files. Choose any message to verify that it contains the correct S3 object information.	DevOps engineer

Task	Description	Skills required
Option 1 - Decommission the Terraform configuration file from AFT.	When you remove the Terraform configuration files and push the changes, AFT automatically initiates the resource removal process. Navigate to the `aft-account-customizations` repository. Go to the `terraform` directory. Delete the following files: `modules` directory `iam.tf` `versions.tf` `variables.tf` `outputs.tf` `terraform.tfvars` Clear the contents of the `main.tf` file. Push your changes to the repository: `# Stage all changes $ git add * # Commit cleanup changes $ git commit -m "Remove AFT customizations" # Push to repository $ git push origin main` Note If you're using a different branch (such as `dev`), replace `main` with your branch name.	DevOps engineer
Option 2 – Clean up Terraform resources manually.	If you aren't using AFT or you want to clean up resources manually, use the following Terraform commands from the `Application_account` and `Log_archive_account` folders: Initialize the Terraform configuration: `$ terraform init` This command initializes Terraform and ensures access to the current state. Preview cleanup changes: `$ terraform destroy` This command evaluates which resources will be destroyed and compares the desired state with the current state of your infrastructure. Run cleanup. When you're prompted, type yes to confirm and run the destruction plan.	DevOps engineer

Troubleshooting

Issue	Solution
The CloudWatch Logs destination wasn't created or is inactive.	Validate the following: In the Log Archive account, verify that the destination policy includes: The correct source account principal. The correct action (`logs:PutSubscriptionFilter`). A valid destination ARN. Confirm that the Firehose stream exists and is active. Verify that the IAM role that's attached to the destination has permissions for Firehose.
The subscription filter failed or is stuck in pending status.	Check the following: In the Application account, verify that the IAM role has: Permissions to call `PutSubscriptionFilter`. A trust relationship with CloudWatch Logs. Confirm that the destination ARN is correct. Check CloudWatch Logs for specific error messages.
The Firehose delivery stream shows no incoming records.	Verify the following: Confirm that the Firehose IAM role has: Permissions to write to Amazon S3. Access to the AWS KMS key if encryption is enabled. Review CloudWatch metrics for: `IncomingRecords` `DeliveryToS3.Records` Verify buffer settings and delivery configurations.

Related resources

Terraform infrastructure setup (Terraform documentation)
Deploy AWS Control Tower Account Factory for Terraform (AFT) (AWS Control Tower documentation)
IAM tutorial: Delegate access across AWS accounts using IAM roles (IAMdocumentation)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Set up a CI/CD pipeline with CodePipeline

Set up end-to-end encryption for applications on Amazon EKS