1 Answer
- Newest
- Most votes
- Most comments
0
Hello.
I guess it depends on the use case, but in my case I manage metrics separately from the log archive account.
Log archive accounts contain logs that are important from a security and governance perspective, such as "AWS CloudTrail," which retrieves AWS operation history, and "AWS Config," which retrieves change history of AWS resources.
In order to prevent such logs from being viewed by general users, I manage metrics using a different account.
To prevent issues such as logs being deleted when incorrect permissions are granted to a user, we limit the number of users who can access the log archive account as much as possible.
https://docs.aws.amazon.com/controltower/latest/userguide/logging-and-monitoring.html
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago