Configuration to enable AWS CloudTrail including configuration to stream CloudTrail events to CloudWatch Logs. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

 
Tags
CloudWatch logs
Items
5
Size
2.2 KB
Missing Parameters
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CloudTrail:
    Type: 'AWS::CloudTrail::Trail'
    Properties:
      TrailName: ManagementEventsTrail
      IsLogging: true
      EnableLogFileValidation: true
      EventSelectors:
        - IncludeManagementEvents: true
          ReadWriteType: All
      IsMultiRegionTrail: true
      IncludeGlobalServiceEvents: true
      S3BucketName:
        Ref: S3BucketForCloudTrail
      CloudWatchLogsLogGroupArn:
        'Fn::GetAtt':
          - CloudWatchLogGroup
          - Arn
      CloudWatchLogsRoleArn:
        'Fn::GetAtt':
          - IamRoleForCwLogs
          - Arn
  S3BucketForCloudTrail:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: ''
  S3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: ''
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AWSConfigBucketPermissionsCheck
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:GetBucketAcl'
            Resource: 'arn:aws:s3:::'
          - Sid: ' AWSConfigBucketDelivery'
            Effect: Allow
            Principal:
              Service:
                - cloudtrail.amazonaws.com
            Action: 's3:PutObject'
            Resource: 'arn:aws:s3:::/AWSLogs/*'
            Condition:
              StringEquals:
                's3:x-amz-acl': bucket-owner-full-control
  CloudWatchLogGroup:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      LogGroupName: CloudTrailLogs
  IamRoleForCwLogs:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: iamRoleCloudTrailToCloudWatchLogs
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: ''
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: allow-access-to-cw-logs
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: '*'
Parameters: {}
Metadata: {}
Conditions: {}

Customize Cf Template
* Required field