AWS CloudTrail Cloudtrail

This page shows how to write Terraform and CloudFormation for CloudTrail Cloudtrail and write them securely.

aws_cloudtrail (Terraform)

The Cloudtrail in CloudTrail can be configured in Terraform with the resource name aws_cloudtrail. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

cloudtrail.tf#L1
resource "aws_cloudtrail" "missing-multi-region" {
  name                          = "tf-trail-foobar"
  s3_bucket_name                = "some-s3-bucket"
  s3_key_prefix                 = "prefix"
  include_global_service_events = false
}
aws_cloudtrail.tf#L5
resource "aws_cloudtrail" "missing-multi-region" {
  name                          = "tf-trail-foobar"
  s3_bucket_name                = "some-s3-bucket"
  s3_key_prefix                 = "prefix"
  include_global_service_events = false
}
aws_cloudtrail_multiregion.tf#L1
resource "aws_cloudtrail" "allowed" {
  enable_log_file_validation = true
  is_multi_region_trail      = true
  cloud_watch_logs_group_arn = "arn:1234"
  kms_key_id                 = "arn:124"
}
aws_cloudtrail_to_cloudwatch.tf#L1
resource "aws_cloudtrail" "allowed" {
  cloud_watch_logs_group_arn = "some-arn:*"
  kms_key_id                 = "arn:1234"
  enable_log_file_validation = true
  is_multi_region_trail      = true
}
test.tf#L1
resource "aws_cloudtrail" "object_logging_enabled" {
  name                          = "tf-trail-foobar"
  s3_bucket_name                = "nwm-cloudtrail-logs"
  s3_key_prefix                 = "prefix"
  include_global_service_events = false
  event_selector {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_cloudtrail

There are 3 settings in aws_cloudtrail that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure to enable CloudTrail log validation

It is better to enable the CloudTrail log file validation allows us to detect invalid states of the logs.

risk-label

Ensure to enable at rest encryption of CloudTrail

It is better to enable at rest encryption of CloudTrail.

risk-label

Ensure to enable CloudTrail in All Regions

It is better to log activities in all regions regardless of where the main AWS resources are homed.

Review your AWS CloudTrail settings

You can check if the aws_cloudtrail setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

Explanation in Terraform Registry

Provides a CloudTrail resource. -> Tip: For a multi-region trail, this resource must be in the home region of the trail. -> Tip: For an organization trail, this resource must be in the master account of the organization.

AWS::CloudTrail::Trail (CloudFormation)

The Trail in CloudTrail can be configured in CloudFormation with the resource name AWS::CloudTrail::Trail. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

CloudtrailMultiRegion-FAILED.yaml#L4
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: True
      IsMultiRegionTrail: False
      S3BucketName: String
  MyTrail1:
CloudtrailMultiRegion-FAILED.yaml#L4
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: True
      IsMultiRegionTrail: False
      S3BucketName: String
  MyTrail1:
CloudtrailMultiRegion-FAILED.yaml#L4
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: True
      IsMultiRegionTrail: False
      S3BucketName: String
  MyTrail1:
positive1.yaml#L11
    Type: AWS::CloudTrail::Trail
    Properties:
      S3BucketName:
        Ref: S3Bucket
      IsLogging: false
      IsMultiRegionTrail: true
positive1.yaml#L11
    Type: AWS::CloudTrail::Trail
    Properties:
      S3BucketName:
        Ref: S3Bucket
      IsLogging: false
      IsMultiRegionTrail: true
config.GetComplianceDetailsByConfigRule_1.json#L9
                        "ResourceType": "AWS::CloudTrail::Trail",
                        "ResourceId": "S3-DataEvents"
                    },
                    "OrderingTimestamp": {
                        "__class__": "datetime",
                        "year": 2020,
config.GetComplianceDetailsByConfigRule_1.json#L9
                        "ResourceType": "AWS::CloudTrail::Trail",
                        "ResourceId": "S3-DataEvents"
                    },
                    "OrderingTimestamp": {
                        "__class__": "datetime",
                        "year": 2020,
config.GetComplianceDetailsByConfigRule_1.json#L9
                        "ResourceType": "AWS::CloudTrail::Trail",
                        "ResourceId": "S3-DataEvents"
                    },
                    "OrderingTimestamp": {
                        "__class__": "datetime",
                        "year": 2020,
cloudtrail-enable.json#L24
            "Type" : "AWS::CloudTrail::Trail",
            "Condition" : "PrefixBucket",
            "Properties" : {
                "IncludeGlobalServiceEvents" : "True",
                "IsLogging" : "True",
                "S3BucketName" : { "Ref" : "S3BucketName" },
528884874493_Config_us-east-1_ConfigHistory_AWS__CloudTrail__Trail_20170622T202436Z_20170622T202436Z_1.json#L1

Parameters

Explanation in CloudFormation Registry

Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket.

Frequently asked questions

What is AWS CloudTrail Cloudtrail?

AWS CloudTrail Cloudtrail is a resource for CloudTrail of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS CloudTrail Cloudtrail?

For Terraform, the storebot/pr_demo_flat, kanchwala-yusuf/aws-terraform and snyk-labs/infrastructure-as-code-goof source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the bridgecrewio/checkov, melscoop-test/check and sprathod369/iac-example source code examples are useful. See the CloudFormation Example section for further details.