My Saved Presets
You must be logged in to view saved presets

Loading Library ...

S3 Data Event Logging with CloudTrail

Configuration to enable AWS CloudTrail in an AWS account for logging S3 Data Events. Data Events for Amazon S3 record object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations)

Configuration templates also include the following:

  • Create a new S3 bucket (default) to store CloudTrail logs or enter the name of an existing S3 bucket.
  • Create a CloudWatch Log Group to store CloudTrail logs, and the IAM Role required for this (Or specify an existing CloudWatch log group and IAM role). 
  • Include Management Events (AWS services' control plane activity) in an AWS Account.
  • Include Data Events for Lambda, DynamoDB, and/or S3 to record data plane operations
  • Additional CloudTrail settings:
    • Log File Validation
    • Log Encryption with KMS
  • Organization Trail: Creates this trail for the whole AWS Organization. When this option is enabled, the configuration should be deployed in the Orgaizations' management account
Items
3
Size
1.7 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  CloudTrail:
    Type: 'AWS::CloudTrail::Trail'
    Properties:
      TrailName: GlobalS3DataEventsTrail
      IsLogging: true
      EnableLogFileValidation: true
      EventSelectors:
        - DataResources:
            - Type: 'AWS::S3::Object'
              Values:
                - 'arn:aws:s3:::'
          ReadWriteType: All
      IsMultiRegionTrail: true
      IncludeGlobalServiceEvents: true
      S3BucketName:
        Ref: S3BucketForCloudTrailCloudTrail
    DependsOn: S3BucketPolicy
  S3BucketForCloudTrailCloudTrail:
    Type: 'AWS::S3::Bucket'
    Properties: {}
  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket:
        Ref: S3BucketForCloudTrailCloudTrail
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AWSCloudTrailBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:GetBucketAcl'
            Resource:
              'Fn::GetAtt':
                - S3BucketForCloudTrailCloudTrail
                - Arn
          - Sid: ' AWSConfigBucketDelivery'
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:PutObject'
            Resource:
              'Fn::Join':
                - ''
                - - 'Fn::GetAtt':
                      - S3BucketForCloudTrailCloudTrail
                      - Arn
                  - /AWSLogs/*
            Condition:
              StringEquals:
                's3:x-amz-acl': bucket-owner-full-control
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Trail Settings

 
 
 

S3 Bucket Settings

CloudWatch Settings

* Required field

© 2024 asecurecloud. All rights reserved.