Centralized Logging Pattern
Build a centralized log archive pipeline: an S3 archive bucket with lifecycle policies, a KMS-encrypted multi-region CloudTrail trail, a CloudWatch Logs subscription filter feeding a Kinesis Data Stream, and a Kinesis Data Firehose delivery stream with Hive-style partitioning.
Lab Overview
In a multi-account AWS organization the Log Archive account is the single destination for all audit and application logs. Every other account forwards its CloudTrail trails and CloudWatch Log Groups into this central account, which stores them durably in S3 with appropriate encryption, lifecycle management, and access controls.
In this lab you will:
- Create an S3 log archive bucket with versioning, SSE-S3, a permission policy accepting writes from CloudTrail and CloudWatch Logs, block-public-access, and a lifecycle rule transitioning objects to STANDARD_IA after 30 days
- Create a customer-managed KMS key whose policy grants CloudTrail encryption rights, then create a multi-region CloudTrail trail delivering to the archive bucket with SSE-KMS and log file validation enabled
- Create a CloudWatch Log Group, a Kinesis Data Stream, and a CloudWatch Logs subscription filter routing only ERROR-level log events to the stream
- Create an IAM role for Kinesis Data Firehose with S3 write and Kinesis read permissions, then create a Firehose delivery stream that reads from the Kinesis Data Stream, compresses with GZIP, and writes to the archive bucket with Hive-style date-partitioning
- Inject a test log event, trace it end-to-end through the pipeline, confirm the lifecycle policy is applied, and generate a pipeline summary report
Everything runs in a single TeKanAid-provisioned AWS lab account using confirmed-tier services (S3, KMS, CloudTrail, CloudWatch Logs, Kinesis Data Streams, Kinesis Data Firehose, IAM).
What You'll Learn
Create an S3 log archive bucket with versioning, SSE-S3 encryption, CloudTrail/CloudWatch Logs write policy, block-public-access, and a lifecycle rule transitioning to STANDARD_IA after 30 days
Create a customer-managed KMS key with a CloudTrail encryption policy and deploy a multi-region CloudTrail trail with SSE-KMS and log file validation
Create a CloudWatch Log Group with a Kinesis Data Stream subscription filter routing only ERROR-level log events
Create an IAM role for Kinesis Data Firehose and a Firehose delivery stream with GZIP compression and Hive-style S3 partitioning
Inject a test log event, trace it end-to-end through the pipeline, and verify lifecycle policies are applied
Prerequisites
aws-devops-cli-operations-baseline
basic-kms-and-cloudtrail-familiarity
basic-cloudwatch-logs-familiarity
Technologies Covered
Part of a Course
This lab is part of the AWS Certified DevOps Engineer - Professional (DOP-C02) course
View All CoursesChoose your plan
Simple, Transparent Pricing
Unlock full access to TeKanAid courses, labs, and bootcamps
Pro
Course content without labs
Renews automatically. Cancel anytime.
Final price verified at checkout.
- Full access to all courses
- Progress tracking
- Certificate of completion
- Community access
- Bootcamp participation
- New content access
Premium
Full access with hands-on labs
Renews automatically. Cancel anytime.
Final price verified at checkout.
- Everything in Pro
- Unlimited hands-on labs
- Lab AI Assistant
- Accelerator bootcamps with live office hours
- Priority support
Prefer a single course?
Purchase individual courses for a one-time fee of $79. Full access to course content, quizzes, certificates, and community features, lab access is not included.
Browse CoursesTry it free, no credit card
Three free ways to start. All bridge into the paid Premium catalog when you're ready.
Not ready to commit? The crash course is email-only. No academy account required.
Ready to Get Started?
Start this hands-on lab and build real-world Platform Engineering skills
Get Access Now