AWS CloudTrail Cloudtrail
This page shows how to write Terraform and CloudFormation for CloudTrail Cloudtrail and write them securely.
aws_cloudtrail (Terraform)
The Cloudtrail in CloudTrail can be configured in Terraform with the resource name aws_cloudtrail. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_cloudtrail" "missing-multi-region" {
name = "tf-trail-foobar"
s3_bucket_name = "some-s3-bucket"
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_cloudtrail" "missing-multi-region" {
name = "tf-trail-foobar"
s3_bucket_name = "some-s3-bucket"
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_cloudtrail" "allowed" {
enable_log_file_validation = true
is_multi_region_trail = true
cloud_watch_logs_group_arn = "arn:1234"
kms_key_id = "arn:124"
}
resource "aws_cloudtrail" "allowed" {
cloud_watch_logs_group_arn = "some-arn:*"
kms_key_id = "arn:1234"
enable_log_file_validation = true
is_multi_region_trail = true
}
resource "aws_cloudtrail" "object_logging_enabled" {
name = "tf-trail-foobar"
s3_bucket_name = "nwm-cloudtrail-logs"
s3_key_prefix = "prefix"
include_global_service_events = false
event_selector {
Security Best Practices for aws_cloudtrail
There are 3 settings in aws_cloudtrail that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to enable CloudTrail log validation
It is better to enable the CloudTrail log file validation allows us to detect invalid states of the logs.
Ensure to enable at rest encryption of CloudTrail
It is better to enable at rest encryption of CloudTrail.
Ensure to enable CloudTrail in All Regions
It is better to log activities in all regions regardless of where the main AWS resources are homed.
Parameters
-
arnoptional computed - string -
cloud_watch_logs_group_arnoptional - string -
cloud_watch_logs_role_arnoptional - string -
enable_log_file_validationoptional - bool -
enable_loggingoptional - bool -
home_regionoptional computed - string -
idoptional computed - string -
include_global_service_eventsoptional - bool -
is_multi_region_trailoptional - bool -
is_organization_trailoptional - bool -
kms_key_idoptional - string -
namerequired - string -
s3_bucket_namerequired - string -
s3_key_prefixoptional - string -
sns_topic_nameoptional - string -
tagsoptional - map from string to string -
event_selectorlist block-
include_management_eventsoptional - bool -
read_write_typeoptional - string -
data_resourcelist block
-
-
insight_selectorlist block-
insight_typerequired - string
-
Explanation in Terraform Registry
Provides a CloudTrail resource. -> Tip: For a multi-region trail, this resource must be in the home region of the trail. -> Tip: For an organization trail, this resource must be in the master account of the organization.
AWS::CloudTrail::Trail (CloudFormation)
The Trail in CloudTrail can be configured in CloudFormation with the resource name AWS::CloudTrail::Trail. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::CloudTrail::Trail
Properties:
IsLogging: True
IsMultiRegionTrail: False
S3BucketName: String
MyTrail1:
Type: AWS::CloudTrail::Trail
Properties:
IsLogging: True
IsMultiRegionTrail: False
S3BucketName: String
MyTrail1:
Type: AWS::CloudTrail::Trail
Properties:
IsLogging: True
IsMultiRegionTrail: False
S3BucketName: String
MyTrail1:
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName:
Ref: S3Bucket
IsLogging: false
IsMultiRegionTrail: true
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName:
Ref: S3Bucket
IsLogging: false
IsMultiRegionTrail: true
"ResourceType": "AWS::CloudTrail::Trail",
"ResourceId": "S3-DataEvents"
},
"OrderingTimestamp": {
"__class__": "datetime",
"year": 2020,
"ResourceType": "AWS::CloudTrail::Trail",
"ResourceId": "S3-DataEvents"
},
"OrderingTimestamp": {
"__class__": "datetime",
"year": 2020,
"ResourceType": "AWS::CloudTrail::Trail",
"ResourceId": "S3-DataEvents"
},
"OrderingTimestamp": {
"__class__": "datetime",
"year": 2020,
"Type" : "AWS::CloudTrail::Trail",
"Condition" : "PrefixBucket",
"Properties" : {
"IncludeGlobalServiceEvents" : "True",
"IsLogging" : "True",
"S3BucketName" : { "Ref" : "S3BucketName" },
Parameters
-
CloudWatchLogsLogGroupArnoptional - String -
CloudWatchLogsRoleArnoptional - String -
EnableLogFileValidationoptional - Boolean -
EventSelectorsoptional - List of EventSelector -
IncludeGlobalServiceEventsoptional - Boolean -
IsLoggingrequired - Boolean -
IsMultiRegionTrailoptional - Boolean -
IsOrganizationTrailoptional - Boolean -
KMSKeyIdoptional - String -
S3BucketNamerequired - String -
S3KeyPrefixoptional - String -
SnsTopicNameoptional - String -
Tagsoptional - List of Tag -
TrailNameoptional - String -
InsightSelectorsoptional - List of InsightSelector
Explanation in CloudFormation Registry
Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket.
Frequently asked questions
What is AWS CloudTrail Cloudtrail?
AWS CloudTrail Cloudtrail is a resource for CloudTrail of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS CloudTrail Cloudtrail?
For Terraform, the storebot/pr_demo_flat, kanchwala-yusuf/aws-terraform and snyk-labs/infrastructure-as-code-goof source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the sprathod369/iac-example, melscoop-test/check and bridgecrewio/checkov source code examples are useful. See the CloudFormation Example section for further details.
