AWS CloudTrail Cloudtrail
This page shows how to write Terraform and CloudFormation for CloudTrail Cloudtrail and write them securely.
aws_cloudtrail (Terraform)
The Cloudtrail in CloudTrail can be configured in Terraform with the resource name aws_cloudtrail
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_cloudtrail" "missing-multi-region" {
name = "tf-trail-foobar"
s3_bucket_name = "some-s3-bucket"
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_cloudtrail" "missing-multi-region" {
name = "tf-trail-foobar"
s3_bucket_name = "some-s3-bucket"
s3_key_prefix = "prefix"
include_global_service_events = false
}
resource "aws_cloudtrail" "allowed" {
enable_log_file_validation = true
is_multi_region_trail = true
cloud_watch_logs_group_arn = "arn:1234"
kms_key_id = "arn:124"
}
resource "aws_cloudtrail" "allowed" {
cloud_watch_logs_group_arn = "some-arn:*"
kms_key_id = "arn:1234"
enable_log_file_validation = true
is_multi_region_trail = true
}
resource "aws_cloudtrail" "object_logging_enabled" {
name = "tf-trail-foobar"
s3_bucket_name = "nwm-cloudtrail-logs"
s3_key_prefix = "prefix"
include_global_service_events = false
event_selector {
Security Best Practices for aws_cloudtrail
There are 3 settings in aws_cloudtrail that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to enable CloudTrail log validation
It is better to enable the CloudTrail log file validation allows us to detect invalid states of the logs.
Ensure to enable at rest encryption of CloudTrail
It is better to enable at rest encryption of CloudTrail.
Ensure to enable CloudTrail in All Regions
It is better to log activities in all regions regardless of where the main AWS resources are homed.
Parameters
-
arn
optional computed - string -
cloud_watch_logs_group_arn
optional - string -
cloud_watch_logs_role_arn
optional - string -
enable_log_file_validation
optional - bool -
enable_logging
optional - bool -
home_region
optional computed - string -
id
optional computed - string -
include_global_service_events
optional - bool -
is_multi_region_trail
optional - bool -
is_organization_trail
optional - bool -
kms_key_id
optional - string -
name
required - string -
s3_bucket_name
required - string -
s3_key_prefix
optional - string -
sns_topic_name
optional - string -
tags
optional - map from string to string -
event_selector
list block-
include_management_events
optional - bool -
read_write_type
optional - string -
data_resource
list block
-
-
insight_selector
list block-
insight_type
required - string
-
Explanation in Terraform Registry
Provides a CloudTrail resource. -> Tip: For a multi-region trail, this resource must be in the home region of the trail. -> Tip: For an organization trail, this resource must be in the master account of the organization.
AWS::CloudTrail::Trail (CloudFormation)
The Trail in CloudTrail can be configured in CloudFormation with the resource name AWS::CloudTrail::Trail
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::CloudTrail::Trail
Properties:
IsLogging: True
IsMultiRegionTrail: False
S3BucketName: String
MyTrail1:
Type: AWS::CloudTrail::Trail
Properties:
IsLogging: True
IsMultiRegionTrail: False
S3BucketName: String
MyTrail1:
Type: AWS::CloudTrail::Trail
Properties:
IsLogging: True
IsMultiRegionTrail: False
S3BucketName: String
MyTrail1:
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName:
Ref: S3Bucket
IsLogging: false
IsMultiRegionTrail: true
Type: AWS::CloudTrail::Trail
Properties:
S3BucketName:
Ref: S3Bucket
IsLogging: false
IsMultiRegionTrail: true
"ResourceType": "AWS::CloudTrail::Trail",
"ResourceId": "S3-DataEvents"
},
"OrderingTimestamp": {
"__class__": "datetime",
"year": 2020,
"ResourceType": "AWS::CloudTrail::Trail",
"ResourceId": "S3-DataEvents"
},
"OrderingTimestamp": {
"__class__": "datetime",
"year": 2020,
"ResourceType": "AWS::CloudTrail::Trail",
"ResourceId": "S3-DataEvents"
},
"OrderingTimestamp": {
"__class__": "datetime",
"year": 2020,
"Type" : "AWS::CloudTrail::Trail",
"Condition" : "PrefixBucket",
"Properties" : {
"IncludeGlobalServiceEvents" : "True",
"IsLogging" : "True",
"S3BucketName" : { "Ref" : "S3BucketName" },
Parameters
-
CloudWatchLogsLogGroupArn
optional - String -
CloudWatchLogsRoleArn
optional - String -
EnableLogFileValidation
optional - Boolean -
EventSelectors
optional - List of EventSelector -
IncludeGlobalServiceEvents
optional - Boolean -
IsLogging
required - Boolean -
IsMultiRegionTrail
optional - Boolean -
IsOrganizationTrail
optional - Boolean -
KMSKeyId
optional - String -
S3BucketName
required - String -
S3KeyPrefix
optional - String -
SnsTopicName
optional - String -
Tags
optional - List of Tag -
TrailName
optional - String -
InsightSelectors
optional - List of InsightSelector
Explanation in CloudFormation Registry
Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket.
Frequently asked questions
What is AWS CloudTrail Cloudtrail?
AWS CloudTrail Cloudtrail is a resource for CloudTrail of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS CloudTrail Cloudtrail?
For Terraform, the storebot/pr_demo_flat, kanchwala-yusuf/aws-terraform and snyk-labs/infrastructure-as-code-goof source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the sprathod369/iac-example, melscoop-test/check and bridgecrewio/checkov source code examples are useful. See the CloudFormation Example section for further details.