Essential Guide to AWS Governance – Part 3: Enable CloudTrail on your AWS Accounts and deliver logs to a central S3 Bucket

This is a part of my AWS Governance series blog posts:

In this blog post we want to achieve the following goals:

  • Enable CloudTrail on all our AWS Accounts
  • Deliver logs to a central S3 Bucket located in a different AWS Account (Security and Auditing AWS Account)

To achieve the above goal, we will take the following steps:

  1. Create an S3 Bucket in the Security and Auditing AWS Account (Account ID: 111111111111) and configure the Bucket policy for it
  2. Enable CloudTrail on a project AWS Account (Account ID: 222222222222) and configure it to deliver the logs to the S3 Bucket

 

Create an S3 Bucket in the Security and Auditing AWS Account and configure the Bucket policy for it

Log into your Security and Auditing AWS Account and create a new S3 Bucket. In this case we give it a name “exampleauditlogs”. Make sure you enable both Read and Write on it for the current Account (111111111111). Then modify the Bucket Policy as follows:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck201232131",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::exampleauditlogs"
},
{
"Sid": "AWSCloudTrailAclCheck201232131",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::exampleauditlogs/AWSLogs/111111111111/*",
"arn:aws:s3:::exampleauditlogs/Project1/AWSLogs/222222222222/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}

Enable CloudTrail on a project AWS Account and configure it to deliver the logs to the S3 Bucket

Log into the Project1 AWS Account (222222222222) and create a new CloudTrail with the following settings:

 

Save and create the CloudTrail and you are pretty much done. All your logs are now sent to the S3 Bucket in the Security and Auditing Account.

If you want to see the logs, you need to log back to your Security and Auditing AWS Account and open the S3 Bucket and see the content of your logs files.:

 

If you have read all the way through, you may also want to know how you can use Elasticsearch to interpret all this data.

Essential Guide to AWS Governance – Part 4: Send CloudTrail logs from AWS Accounts to a central Elasticsearch Instance and visualize them using Kibana

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: