README
ΒΆ
LogGuardian
Automated CloudWatch Log Groups Compliance Automation
Enterprise-grade automation for CloudWatch log group encryption, retention, and compliance monitoring
Quick Start
One-Click AWS Serverless Application Repository Deployment
β Launch LogGuardian from AWS Serverless Application Repository
Manual Deployment (SAM)
# Clone the repository
git clone https://github.com/zsoftly/logguardian.git
cd logguardian
# Build and package Lambda
make build && make package
# Deploy using AWS SAM (recommended for marketplace)
make sam-deploy-dev
π Complete Deployment Guide
Go Lambda Function
For developers wanting to build and customize the Lambda function:
# Build the Go Lambda function
make build && make package
# Run tests and security scans
make test && make security
π Go Lambda Function Documentation
Implementation Status
β Completed:
- Go 1.24 Lambda function with AWS SDK v2
- AWS Config event processing and compliance analysis
- Config rule evaluation batch processing for non-compliant resources
- KMS encryption and retention policy remediation
- Multi-region support with memory optimization
- Comprehensive test suite with mocked AWS services
- CI/CD pipeline with security scanning (GoSec, govulncheck)
- Structured logging with Go's slog package
- CloudFormation Templates: Complete deployment infrastructure with modular and single-file options
- Deployment Automation: Scripts and comprehensive deployment guide
π Table of Contents
- Problem Statement
- Solution Overview
- Features
- Architecture
- Deployment Options
- Prerequisites
- Configuration
- Usage
- Cost Analysis
- Contributing
- License
Problem Statement
AWS customers struggle with maintaining CloudWatch log group compliance across their organization due to:
Operational Challenges
- Manual Compliance Management: Organizations must manually check hundreds or thousands of log groups for KMS encryption and retention policy compliance
- Scale Challenges: As organizations grow, manual compliance checking becomes impossible to maintain
- Operational Overhead: DevOps teams spend significant time on repetitive compliance tasks
Financial Impact
- Cost Inefficiency: Log groups without retention policies accumulate indefinitely, leading to unexpected storage costs
- Resource Waste: Teams over-provision monitoring resources due to inefficient compliance checking
Security & Compliance Risks
- Security Gaps: Unencrypted log groups fail compliance audits and security frameworks
- Compliance Violations: Inconsistent retention policies lead to regulatory compliance issues
- Audit Failures: Lack of systematic compliance tracking during security reviews
Solution Overview
LogGuardian transforms CloudWatch log group compliance from a manual, error-prone process into an automated, cost-effective, and reliable system that scales with organizational growth while maintaining security and compliance standards.
Key Differentiators
- Cost-Optimized: Uses AWS Config Rules instead of expensive continuous Lambda scanning
- Safe Automation: Shared responsibility model prevents application disruptions
- Enterprise-Ready: Built for multi-account, multi-region AWS environments
- Compliance-First: Designed specifically for audit and regulatory requirements
Features
Intelligent Compliance Discovery
- Utilizes AWS Config Rules to efficiently identify non-compliant CloudWatch log groups
- Pre-built compliance rules for encryption and retention requirements
- Configurable compliance standards (365 days retention minimum, customer-managed KMS keys)
- Multi-region compliance monitoring from centralized deployment
Safe Automated Remediation
- Automated application of retention policies to non-compliant log groups
- Safe KMS encryption with comprehensive validation and cross-region support
- Customer-managed keys with policy verification and accessibility checks
- Prerequisite validation to ensure service IAM roles have proper KMS permissions
- Rollback capabilities for failed remediation attempts
Shared Responsibility Model
- Customer maintains control over KMS key creation and IAM permission management
- Product assumes keys and permissions are pre-configured and tested
- Clear separation of customer vs. automation responsibilities
- Fail-fast approach when prerequisites are not met
Cost-Optimized Operations
- Event-driven remediation based on Config Rule evaluations
- Process only non-compliant resources (typically 5-10% of total log groups)
- Configurable schedule options (daily, weekly, monthly) based on organizational requirements
- Elimination of continuous resource scanning
Enterprise Governance
- Comprehensive compliance reporting and dashboards
- Audit trail of all remediation activities
- Integration with AWS Organizations for multi-account deployments
- Customizable notification and alerting for compliance changes
Flexible Deployment Options
- Single-region or multi-region deployment configurations
- Support for different compliance schedules per environment (prod vs. dev)
- Granular policy controls for different log group patterns
- Integration with existing CI/CD and infrastructure-as-code workflows
Architecture
High-Level Architecture
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β AWS Config β β EventBridge β β Remediation β
β Rules ββββββ Scheduler ββββββ Lambda β
β β β β β β
β β’ Encryption β β Day N-1: Config β β Day N: Process β
β β’ Retention β β Day N: Lambda β β Non-Compliant β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β β β
β β β
βΌ βΌ βΌ
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β CloudWatch Log β β Compliance β β Customer β
β Groups β β Dashboard β β KMS Keys β
β β β β β β
β β’ Target β β β’ Reports β β β’ Pre-created β
β Resources β β β’ Metrics β β β’ IAM Ready β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
Process Flow
- Day N-1: AWS Config Rules evaluate all CloudWatch log groups for compliance
- Day N: EventBridge triggers Lambda function with non-compliant resource list
- Remediation: Lambda applies encryption and retention policies only to non-compliant resources
- Reporting: Compliance dashboard updates with remediation results
- Monitoring: Ongoing compliance monitoring and alerting
π Deployment Options
Option 1: AWS Serverless Application Repository (Recommended)
One-click deployment with AWS SAR
Benefits:
- β One-click deployment
- β Pre-configured best practices
- β Public and free to use
- β AWS-managed distribution
- β Version controlled releases
Pricing: Free - Open source with no licensing fees
Option 2: Manual SAM Deployment
Direct SAM deployment from source
# 1. Clone repository
git clone https://github.com/zsoftly/logguardian.git
cd logguardian
# 2. Build and package
make build && make package
# 3. Deploy with SAM
sam deploy --guided --parameter-overrides \
Environment=prod \
CreateKMSKey=true \
KMSKeyAlias=alias/logguardian-logs-prod \
CreateConfigService=true \
CreateConfigRules=true \
CreateEventBridgeRules=true \
DefaultRetentionDays=365
Option 3: Terraform Deployment
module "logguardian" {
source = "github.com/zsoftly/logguardian//terraform"
# Configuration
retention_days = 365
kms_key_alias = "alias/cloudwatch-logs-compliance"
schedule = "weekly"
# Multi-region support
regions = ["ca-central-1", "ca-west-1"]
# Notification settings
notification_email = "compliance@yourcompany.com"
}
π Documentation
π Documentation
- Local SAM Testing - Comprehensive local Lambda testing with 9+ test scenarios
- SAM vs CloudFormation - Why we chose SAM over CloudFormation
- AWS Marketplace SAM Deployment - Complete SAM deployment guide
- Go Lambda Function - Lambda function implementation details
- Config Rule Evaluation - Batch processing non-compliant resources
- KMS Encryption Validation - KMS key validation and cross-region support
- Development Guide - Development setup and guidelines
- π Deployment Guide - Complete SAM deployment instructions
AWS SAM Architecture
LogGuardian uses AWS SAM (Serverless Application Model) for deployment and is distributed through AWS Serverless Application Repository (SAR):
SAR Distribution Benefits
- Public Availability: Anyone can deploy LogGuardian directly from AWS SAR
- Version Control: Each release is tracked and versioned in SAR
- AWS Integration: Native integration with AWS console and CLI
- No Account Dependencies: Users don't need access to our source account
- Trust & Security: AWS-managed distribution channel with built-in security scanning
SAM Template Structure
template.yaml # SAM template (AWS Marketplace standard)
βββ Metadata # AWS Serverless Repository metadata
βββ Parameters # Deployment configuration
βββ Resources
β βββ Lambda Function # Go binary with provided.al2023 runtime
β βββ KMS Key # Customer-managed encryption key
β βββ Config Rules # Compliance monitoring
β βββ EventBridge Rules # Scheduled execution
β βββ CloudWatch Dashboard # Monitoring
βββ Outputs # Deployment results
Why SAM vs Traditional CloudFormation?
SAM Benefits for AWS SAR Distribution:
- β Built-in SAR Support: Native AWS Serverless Application Repository integration
- β
Simplified Lambda Packaging: Automatic Go binary handling with
CodeUri - β
Local Testing:
sam localcommands for development - β Template Validation: Enhanced SAM-specific validation
- β Event Source Integration: Simplified EventBridge configuration
- β Automatic IAM: Policy generation from function requirements
Traditional CloudFormation Limitations:
- β Manual ZIP creation and S3 upload required
- β No built-in local testing
- β Manual SAR integration required
- β More complex Lambda configuration
Contributing
We welcome contributions! Please see our Development Guide for details.
Quick Start
# Clone and setup
git clone https://github.com/zsoftly/logguardian.git
cd logguardian
# Install dependencies and run tests
make test
# See development guide for more details
Professional Services & Enterprise Support
Need help with enterprise-scale LogGuardian deployment? ZSoftly Technologies Inc provides comprehensive AWS consulting and implementation services.
π ZSoftly Cloud Services
Professional Services Include:
- β Enterprise Deployment Planning - Multi-account, multi-region architecture design
- β Custom Implementation - Tailored compliance rules and integration with existing infrastructure
- β Migration Services - Safe migration from manual processes to automated compliance
- β Training & Knowledge Transfer - Team training on LogGuardian operation and maintenance
- β Ongoing Support - 24/7 support for mission-critical deployments
π Contact Information:
- Phone: +1 (343) 503-0513
- Email: info@zsoftly.com
- Address: 116 Albert Street, Suite 300, Ottawa, Ontario K1P 5G3
- Business Hours: MonβFri: 6 AMβ10 PM EST
- π Book Online Consultation
Why Choose ZSoftly for LogGuardian?
- π¨π¦ Canadian AWS Experts - Deep expertise in AWS compliance and governance
- π’ Enterprise Focus - Specialized in large-scale, regulated environments
- π Security First - Compliance with Canadian and international security standards
- π Proven Results - Successfully deployed across financial, healthcare, and government sectors
License
This project is licensed under the MIT License - see the LICENSE file for details.
Built with β€οΈ by ZSoftly Technologies Inc | Professional AWS Services
Directories
Click to show internal directories.
Click to hide internal directories.