A collection of configuration templates for AWS CloudTrail as well as security controls for monitoring and protecting AWS CloudTrail configuration such as Config Rules, CloudWatch Alarms, EventBridge Rules, IAM policies, and more.

CloudTrail
CloudTrail Trail with S3 Bucket and CloudWatch Log Integration

This CloudFormation template creates an S3 bucket and configures it with a CloudTrail trail to capture management events. It also sets up a bucket policy to allow CloudTrail to write logs to the bucket.

CloudFormationTerraform
Organizations CloudTrail Trail with S3 Bucket for Log Storage

This CloudFormation template creates an S3 bucket and configures it with a CloudTrail organizations trail to capture management events across all accounts in the organization. It also sets up a bucket policy to allow CloudTrail to write logs to the bucket.

CloudFormationTerraform
CloudTrail Trail with S3 Bucket for Log Storage

This CloudFormation template creates an S3 bucket and configures it with a CloudTrail trail to capture management events. It also sets up a bucket policy to allow CloudTrail to write logs to the bucket.

CloudFormationTerraform
CloudTrail for Logging Lambda Data Events

Creates a CloudTrail trail to log Lambda data events for all tables and store the logs in the specified S3 bucket.

CloudFormationTerraform
CloudTrail for Logging DynamoDB Data Events

Creates a CloudTrail trail to log DynamoDB data events for all tables and store the logs in the specified S3 bucket.

CloudFormationTerraform
CloudTrail for Logging S3 Data Events

Creates a CloudTrail trail to log global S3 data events and store the logs in the specified S3 bucket.

CloudFormationTerraform
CloudTrail Event Data Store

This template creates a CloudTrail event data store that logs events in all regions. It enables multi-region support, ingestion of events, and sets a retention period of 30 days. It also supports organization-wide event logging if the AWS partition is not 'aws-cn'. The event data store is not protected from termination and uses a specified KMS key for encryption. It includes tags for identification and advanced event selectors to filter events based on event category.

CloudFormationTerraform
CloudTrail Channel Definition

This template creates a CloudTrail channel for a CloudTrail Lake integration with an event source outside of AWS. The channel is created with the specified name, source, destinations, and tags. The channel ARN is outputted.

CloudFormationTerraform
CloudTrail Resource Policy

This template creates a resource policy that allows a specific AWS account to call `PutAuditEvents` on a CloudTrail channel. The resource policy is attached to the CloudTrail channel specified by the resource ARN. The policy is defined using a JSON object.

CloudFormationTerraform
Config Rule
CloudTrail Enabled Check

Checks whether AWS CloudTrail is enabled in your AWS account. Optionally, you can specify which S3 bucket, SNS topic, and Amazon CloudWatch Logs ARN to use.

CloudFormationTerraformAWS CLI
CloudTrail's S3 Bucket Access Logging Enabled Check

Evaluates whether access logging is enabled on the CloudTrail S3 bucket and the S3 bucket is not publicly accessible.

CloudFormationTerraformAWS CLI
CloudTrail Multi-Region Trail Enabled Check

A config rule that checks that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match inputs parameters.

CloudFormationTerraformAWS CLI
CloudTrail to CloudWatch Logs Enabled Check

A config rule that checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs. The trail is NON_COMPLIANT if the CloudWatchLogsLogGroupArn property of the trail is empty.

CloudFormationTerraformAWS CLI
CloudTrail Encryption Enabled Check

A config rule that checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The rule is COMPLIANT if the KmsKeyId is defined.

CloudFormationTerraformAWS CLI
CloudTrail Log File Validation Enabled Check

A config rule that checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled.

CloudFormationTerraformAWS CLI
CloudTrail Best Practices Configured

A config rule that that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT if there is at least one trail that meets all of the following: records global service events, is a multi-region trail, has Log file validation enabled, encrypted with a KMS key, records events for reads and writes, records management events, and does not exclude any management events.

CloudFormationTerraformAWS CLI