Overview

Configuration to enable AWS CloudTrail including configuration to stream CloudTrail events to CloudWatch Logs. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

Configuration templates also incldues the following:

  • Create a new S3 bucket (default) to store CloudTrail logs or enter the name of an existing S3 bucket.
  • Create a CloudWatch Log Group to store CloudTrail logs, and the IAM Role required for this (Or specify an existing CloudWatch log group and IAM role). 

Configuration Templates

Items
5
Size
2.2 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  CloudTrail:
    Type: 'AWS::CloudTrail::Trail'
    Properties:
      TrailName: ManagementEventsTrail
      IsLogging: true
      EnableLogFileValidation: true
      EventSelectors:
        - IncludeManagementEvents: true
          ReadWriteType: All
      IsMultiRegionTrail: true
      IncludeGlobalServiceEvents: true
      S3BucketName:
        Ref: S3BucketForCloudTrail
      CloudWatchLogsLogGroupArn:
        'Fn::GetAtt':
          - CloudWatchLogGroup
          - Arn
      CloudWatchLogsRoleArn:
        'Fn::GetAtt':
          - IamRoleForCwLogs
          - Arn
  S3BucketForCloudTrail:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: ''
  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: ''
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AWSConfigBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:GetBucketAcl'
            Resource: 'arn:aws:s3:::'
          - Sid: ' AWSConfigBucketDelivery'
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:PutObject'
            Resource: 'arn:aws:s3:::/AWSLogs/*'
            Condition:
              StringEquals:
                's3:x-amz-acl': bucket-owner-full-control
  CloudWatchLogGroup:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      LogGroupName: CloudTrailLogs
  IamRoleForCwLogs:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: iamRoleCloudTrailToCloudWatchLogs
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: ''
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: allow-access-to-cw-logs
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: '*'
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Cf Template
* Required field

Sources and Documentation

Configuration Source: AWS Documentation

Additional Documentation: