Overview

Configuration to enable AWS CloudTrail in an AWS account with optional settings such as Log Encryption, Log File Validation and Log forwarding to CloudWatch logs. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

Configuration templates also incldues the following options:

  • Create a new S3 Bucket (default) to store CloudTrail logs or enter the name of an existing S3 bucket.
  • Enable CloudWatch log groups forwarding, and optionally create a new CloudWatch Log Group to store CloudTrail logs, and the IAM Role required for this (Or specify an existing CloudWatch log group and IAM role). 

Configuration Templates

Items
3
Size
1.3 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  CloudTrail:
    Type: 'AWS::CloudTrail::Trail'
    Properties:
      TrailName: ManagementEventsTrail
      IsLogging: true
      EnableLogFileValidation: true
      EventSelectors:
        - IncludeManagementEvents: true
          ReadWriteType: All
      IsMultiRegionTrail: true
      IncludeGlobalServiceEvents: true
      S3BucketName:
        Ref: S3BucketForCloudTrail
  S3BucketForCloudTrail:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: ''
  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: ''
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AWSConfigBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:GetBucketAcl'
            Resource: 'arn:aws:s3:::'
          - Sid: ' AWSConfigBucketDelivery'
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:PutObject'
            Resource: 'arn:aws:s3:::/AWSLogs/*'
            Condition:
              StringEquals:
                's3:x-amz-acl': bucket-owner-full-control
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Cf Template
* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation: