Upcoming Features

Overview

Configuration to enable AWS CloudTrail in an AWS account for logging Lambda Data Events. Data Events for AWS Lambda record function execution activity (the Invoke API)

Configuration templates also include the following:

  • Create a new S3 bucket (default) to store CloudTrail logs or enter the name of an existing S3 bucket.
  • Create a CloudWatch Log Group to store CloudTrail logs, and the IAM Role required for this (Or specify an existing CloudWatch log group and IAM role). 
  • Include Management Events (AWS services' control plane activity) in an AWS Account.
  • Include Data Events for Lambda and/or S3 to record data plane operations
  • Additional CloudTrail settings:
    • Log File Validation
    • Log Encryption with KMS

Configuration Templates

Items
3
Size
1.7 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  CloudTrail:
    Type: 'AWS::CloudTrail::Trail'
    Properties:
      TrailName: GlobalLambdaDataEventsTrail
      IsLogging: true
      EnableLogFileValidation: true
      EventSelectors:
        - DataResources:
            - Type: 'AWS::Lambda::Function'
              Values:
                - 'arn:aws:lambda'
          ReadWriteType: All
      IsMultiRegionTrail: true
      IncludeGlobalServiceEvents: true
      S3BucketName:
        Ref: S3BucketForCloudTrail
    DependsOn: S3BucketPolicy
  S3BucketForCloudTrail:
    Type: 'AWS::S3::Bucket'
    Properties: {}
  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket:
        Ref: S3BucketForCloudTrail
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AWSCloudTrailBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:GetBucketAcl'
            Resource:
              'Fn::GetAtt':
                - S3BucketForCloudTrail
                - Arn
          - Sid: ' AWSConfigBucketDelivery'
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:PutObject'
            Resource:
              'Fn::Join':
                - ''
                - - 'Fn::GetAtt':
                      - S3BucketForCloudTrail
                      - Arn
                  - /AWSLogs/*
            Condition:
              StringEquals:
                's3:x-amz-acl': bucket-owner-full-control
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

 
 
* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation: