Transfer Family connectors should have CloudWatch logging enabled
Description
This control checks whether Amazon CloudWatch logging is enabled for an AWS Transfer Family connector. The control fails if CloudWatch logging isn't enabled for the connector. Amazon CloudWatch is a monitoring and observability service that provides visibility into your AWS resources, including AWS Transfer Family resources. For Transfer Family, CloudWatch provides consolidated auditing and logging for workflow progress and results. This includes several metrics that Transfer Family defines for workflows. You can configure Transfer Family to automatically log connector events in CloudWatch. To do this, you specify a logging role for the connector. For the logging role, you create an IAM role and a resource-based IAM policy that defines the permissions for the role.
Remediation
To enable CloudWatch logging for Transfer Family connectors, configure a logging role for each connector. The logging role must have permissions to write logs to CloudWatch.
Steps
- Open the AWS Transfer Family console.
- Select the connector that needs logging enabled.
- Go to the 'Logging' section in the connector settings.
- Create an IAM role with permissions to write logs to CloudWatch Logs.
- Attach the IAM role to the connector as the logging role.
- Configure the resource-based IAM policy for the logging role if needed.
- Save the connector configuration.
- Verify that connector events are being logged in CloudWatch.