By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

Logging & Monitoring Configurations

AWS CloudTrail with CloudWatch Logs Integration

Configuration to enable AWS CloudTrail including configuration to stream CloudTrail events to CloudWatch Logs. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services.

Configuration templates also include the following:

  • Create a new S3 bucket (default) to store CloudTrail logs or enter the name of an existing S3 bucket.
  • Create a CloudWatch Log Group to store CloudTrail logs, and the IAM Role required for this (Or specify an existing CloudWatch log group and IAM role). 
  • Include Data Events for Lambda and/or S3 to record data plane operations
  • Additional CloudTrail settings:
    • Log File Validation
    • Log Encryption with KMS
Items
5
Size
2.6 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  CloudTrail:
    Type: "AWS::CloudTrail::Trail"
    Properties:
      TrailName: "ManagementEventsTrail"
      IsLogging: true
      EnableLogFileValidation: true
      EventSelectors:
        - IncludeManagementEvents: true
          ReadWriteType: "All"
      IsMultiRegionTrail: true
      IncludeGlobalServiceEvents: true
      S3BucketName:
        Ref: "S3BucketForCloudTrailCloudTrail"
      CloudWatchLogsLogGroupArn:
        Fn::GetAtt:
          - "CloudWatchLogGroupCloudTrail"
          - "Arn"
      CloudWatchLogsRoleArn:
        Fn::GetAtt:
          - "IamRoleForCwLogsCloudTrail"
          - "Arn"
    DependsOn: "S3BucketPolicy"
  S3BucketForCloudTrailCloudTrail:
    Type: "AWS::S3::Bucket"
    Properties: {}
  S3BucketPolicy:
    Type: "AWS::S3::BucketPolicy"
    Properties:
      Bucket:
        Ref: "S3BucketForCloudTrailCloudTrail"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: "AWSCloudTrailBucketPermissionsCheck"
            Effect: "Allow"
            Principal:
              Service:
                - "cloudtrail.amazonaws.com"
            Action: "s3:GetBucketAcl"
            Resource:
              Fn::GetAtt:
                - "S3BucketForCloudTrailCloudTrail"
                - "Arn"
          - Sid: " AWSConfigBucketDelivery"
            Effect: "Allow"
            Principal:
              Service:
                - "cloudtrail.amazonaws.com"
            Action: "s3:PutObject"
            Resource:
              Fn::Join:
                - ""
                -
                  - Fn::GetAtt:
                      - "S3BucketForCloudTrailCloudTrail"
                      - "Arn"
                  - "/AWSLogs/*"
            Condition:
              StringEquals:
                s3:x-amz-acl: "bucket-owner-full-control"
  CloudWatchLogGroupCloudTrail:
    Type: "AWS::Logs::LogGroup"
    Properties:
      LogGroupName: "CloudTrailLogs"
  IamRoleForCwLogsCloudTrail:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Principal:
              Service: "cloudtrail.amazonaws.com"
            Action: "sts:AssumeRole"
      Policies:
        - PolicyName: "allow-access-to-cw-logs"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Resource: "*"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Trail Settings

 
 
 

S3 Bucket Settings

CloudWatch Settings

* Required field