Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
Configuration to enable AWS CloudTrail including configuration to stream CloudTrail events to CloudWatch Logs. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services.
Configuration templates also include the following:
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
CloudTrail:
Type: "AWS::CloudTrail::Trail"
Properties:
TrailName: "ManagementEventsTrail"
IsLogging: true
EnableLogFileValidation: true
EventSelectors:
- IncludeManagementEvents: true
ReadWriteType: "All"
IsMultiRegionTrail: true
IncludeGlobalServiceEvents: true
S3BucketName:
Ref: "S3BucketForCloudTrailCloudTrail"
CloudWatchLogsLogGroupArn: "CloudTrailLogs"
CloudWatchLogsRoleArn:
Fn::GetAtt:
- "IamRoleForCwLogsCloudTrail"
- "Arn"
DependsOn: "S3BucketPolicy"
S3BucketForCloudTrailCloudTrail:
Type: "AWS::S3::Bucket"
Properties: {}
S3BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket:
Ref: "S3BucketForCloudTrailCloudTrail"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AWSCloudTrailBucketPermissionsCheck"
Effect: "Allow"
Principal:
Service:
- "cloudtrail.amazonaws.com"
Action: "s3:GetBucketAcl"
Resource:
Fn::GetAtt:
- "S3BucketForCloudTrailCloudTrail"
- "Arn"
- Sid: " AWSConfigBucketDelivery"
Effect: "Allow"
Principal:
Service:
- "cloudtrail.amazonaws.com"
Action: "s3:PutObject"
Resource:
Fn::Join:
- ""
-
- Fn::GetAtt:
- "S3BucketForCloudTrailCloudTrail"
- "Arn"
- "/AWSLogs/*"
Condition:
StringEquals:
s3:x-amz-acl: "bucket-owner-full-control"
IamRoleForCwLogsCloudTrail:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ""
Effect: "Allow"
Principal:
Service: "cloudtrail.amazonaws.com"
Action: "sts:AssumeRole"
Policies:
- PolicyName: "allow-access-to-cw-logs"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "*"
Parameters: {}
Metadata: {}
Conditions: {}