Skip to main content

AWS Cloudtrail

AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

To learn more about the service see the AWS CloudTrail documentation.

Prerequisites

Permissions

  • Administrator role in AWS to configure CloudTrail accounts and services
  • "Organization Admin" role in MD.ECO

Prefixes offered by default

It is possible to establish a prefix like cloudtrail in a shared S3 Bucket but we recommend using an S3 Bucket specific to this service and not specifying a prefix to maintain consistency with other S3 buckets.

The default prefix used by CloudTrail is:

AWSLogs/{{OrgID}}/CloudTrail/{{Region}}/

Or if Organization Trail is enabled:

AWSLogs/o-{{RootOrgID}}/{{OrgID}}/CloudTrail/{{Region}}/

Prerequisite Variables

  • {{S3CloudTrailAuditBucketName}}: Name of the bucket which will be used for the transfer of logs with MD.ECO, to be created beforehand with the procedure Ingestion by S3 Bucket .

Configuration steps

Configuring S3 bucket security ("Audit" organization)

Add the following statement to the destination S3 bucket policy

{
  "Sid": "AWSCloudTrailAclCheck",
  "Effect": "Allow",
  "Principal": {
    "Service": "cloudtrail.amazonaws.com"
  },
  "Action": "s3:GetBucketAcl",
  "Resource": "arn:aws:s3:::{{S3CloudTrailAuditBucketName}}"                                                       
},
{
  "Sid": "AWSCloudTrailWrite",                                  
  "Effect": "Allow",
  "Principal": {
    "Service": "cloudtrail.amazonaws.com"
  },
  "Action": "s3:PutObject",
  "Resource": [
    "arn:aws:s3:::{{S3CloudTrailAuditBucketName}}/*"
  ],
  "Condition": { 
    "StringEquals": { 
      "s3:x-amz-acl": "bucket-owner-full-control" 
    }
  }
}

Configuring CloudTrail log recording in the S3 bucket ("Root" organization)

Enable all features

aws organizations enable-all-features

Enable trail for organization

Creating a trail for an organization

aws organizations enable-aws-service-access --service-principal cloudtrail.amazonaws.com
aws cloudtrail create-trail --name organization-trail --s3-bucket-name {{S3CloudTrailAuditBucketName}} --is-organization-trail --is-multi-region-trail

Notify Mondata with instance information

Include the following information:

  • {{S3CloudTrailAuditBucketName}}