AWSDetonationLab
AWSDetonationLab copied to clipboard
add option to choose between 1 s3 bucket for all logs or 1 s3 bucket per service
currently the det lab creates 1 s3 bucket per service getting logged. This was the easiest way to do it in the beginning due to how we learned to create the logging pipeline. Since then I have multiple requests to log all services to a single s3 bucket with a subdirectory for each service. This was due to a limitation in s3 for 100 buckets total. To solve this issue I think we should add an option to the config page for the user to select multiple or single s3 bucket for logs. The directory structure should look something like the below
- rootDir - nameOfDetlab
- childDirs - Guardduty|macie|cloudtrail|vpc|etc
- logs - however they write out
- childDirs - Guardduty|macie|cloudtrail|vpc|etc
I think adding that condition will make the code harder to maintain since the buckets are configured in so many places we would need to add lots of conditionals. I think having a single bucket for everything is more convenient.
I think adding that condition will make the code harder to maintain since the buckets are configured in so many places we would need to add lots of conditionals. I think having a single bucket for everything is more convenient.
I agree with you. After looking at some documentation, I think the most practical path forward would be to migrate our current deployment standard of 1 bucket per service to 1 bucket with all services as a sub directory of that single bucket.