Workshop AWS Account Setup > Log Archive Account > Setting up Cloudtrail

Setting up Cloudtrail

Setting up the Cloudtrail bucket

Enhance the Makefile in the infrastructure git project with the following content:

CLOUDTRAIL_BUCKET_NAME  := fstehle-cloudtrail

###############################################################################################

.PHONY: log-archive-cloudtrail-bucket
log-archive-cloudtrail-bucket:
	aws cloudformation deploy \
		--no-fail-on-empty-changeset \
		--template-file log-archive/cloudtrail-bucket.yml \
		--stack-name cloudtrail-bucket \
		--parameter-overrides OrganizationId=$(shell aws organizations describe-organization --query 'Organization.Id' --output text) \
		                      MasterAccountId=$(shell aws organizations describe-organization --query 'Organization.MasterAccountId' --output text) \
		                      BucketName=$(CLOUDTRAIL_BUCKET_NAME) \
		--region $(AWS_REGION)

Create a new cloudformation template in log-archive/cloudtrail-bucket.yml and define the Cloudtrail bucket in there:

---
AWSTemplateFormatVersion: 2010-09-09
Description: Cloudtrail bucket

Parameters:
  OrganizationId:
    Type: String
    AllowedPattern: '^o-[a-z0-9]{10}$'
    Description: ID of the AWS organization, eg. o-exampleorgid
  MasterAccountId:
    Type: String
    AllowedPattern: '^[0-9]*$'
    Description: ID of the master AWS account
  BucketName:
    Type: String
    Description: Name of Bucket used for CloudTrail
Resources:
  TrailBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Ref BucketName
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        IgnorePublicAcls: true
        BlockPublicPolicy: true
        RestrictPublicBuckets: true
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
  TrailBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref TrailBucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AWSCloudTrailAclCheck20150319
            Effect: Allow
            Principal:
              Service: 'cloudtrail.amazonaws.com'
            Action: 's3:GetBucketAcl'
            Resource: !Sub 'arn:aws:s3:::${TrailBucket}'
          - Sid: AWSCloudTrailWrite20150319
            Effect: Allow
            Principal:
              Service: 'cloudtrail.amazonaws.com'
            Action: 's3:PutObject'
            Resource:
              - !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*'
              - !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${MasterAccountId}/*'
            Condition:
              StringEquals:
                's3:x-amz-acl': 'bucket-owner-full-control'
          - Sid: AWSCloudTrailWrite20150319
            Effect: Allow
            Principal:
              Service: 'cloudtrail.amazonaws.com'
            Action: 's3:PutObject'
            Resource: !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${OrganizationId}/*'
            Condition:
              StringEquals:
                's3:x-amz-acl': 'bucket-owner-full-control'

Create the Cloudformation stack with the following command in the log-archive AWS account

AWS_PROFILE=myorg-log-archive make log-archive-cloudtrail-bucket

Enabling Cloudtrail on the AWS Organization

AWS_PROFILE=myorg-master aws organizations enable-aws-service-access --service-principal cloudtrail.amazonaws.com

AWS_PROFILE=myorg-master aws cloudtrail create-trail --name BaselineCloudTrail --s3-bucket-name myorg-test-cloudtrail --include-global-service-events --is-multi-region-trail --enable-log-file-validation --is-organization-trail --region eu-central-1