DEV Community

Cover image for AWS CloudTrail Centralized logging
AWS Community Builders profile image Olawale Adepoju
Olawale Adepoju for AWS Community Builders

Posted on

AWS CloudTrail Centralized logging

#aws #cloudtrail

AWS CloudTrail is an AWS service that allows you to implement operational and risk auditing, governance, and compliance for your AWS accounts. CloudTrail records actions made by users, roles, and AWS services as events. Events include activities performed in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

CloudTrail is activated in your AWS account when you create it and does not require any manual configuration. When action occurs in your AWS account, it is captured as a CloudTrail event.

The creation of an audit account and collecting of CloudTrail logs into that account are recommended as best practices if you have several accounts.

Image description

  • Turn on CloudTrail in the account where the destination S3 bucket will belong (111111111111 in this example). Do not turn on CloudTrail in any other accounts yet. Choose use existing bucket if you have an S3 bucket already created.

Note: If you configuring for AWS Organization, check the "Enable for all accounts in organization" and this will automatically turn on cloudtrail in all member account of the organization, So skip step 3.

Image description

  • Choose the Event type you want to log, i will choosing the management events. Also choose the activity performed that you want to log.

Image description

  • Review and create the Trails.

  • Go to S3 bucket, the new bucket should have been created.

Image description

  • Turn on CloudTrail in the other accounts you want (2222222222, 3333333333, and 4444444444 in this example). Configure CloudTrail in these accounts to use the same bucket belonging to the account that you specified in step 1 (111111111111 in this example).

  • Under the permission tab, Update the bucket policy on your destination bucket to grant cross-account permissions to CloudTrail.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSCloudTrailAclCheck20131101",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::myBucketName",
      "Condition": { 
          "StringEquals": { 
            "aws:SourceArn": [ 
      "arn:aws:cloudtrail:region:111111111111:trail/TrailName"
            ]
          }
       }
    },
    {
      "Sid": "AWSCloudTrailWrite20131101",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::myBucketName/AWSLogs/111111111111/*",
        "arn:aws:s3:::myBucketName/AWSLogs/222222222222/*",
        "arn:aws:s3:::myBucketName/AWSLogs/333333333333/*",
        "arn:aws:s3:::myBucketName/AWSLogs/444444444444/*"
      ],
      "Condition": { 
        "StringEquals": { 
          "aws:SourceArn": [ 
     "arn:aws:cloudtrail:region:111111111111:trail/TrailName"
       ],
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

Read next

_hardikjoshi profile image

Using Custom Authorization - Request based for AWS Lambda

πŸ…·πŸ…°πŸ†πŸ…³πŸ…ΈπŸ…Ί πŸ…ΉπŸ…ΎπŸ†‚πŸ…·πŸ…Έ -

jimmydqv profile image

Protect API Gateway with Amazon Verified Permissions

Jimmy Dahlqvist -

_hardikjoshi profile image

AWS Amplify : Website Migration

πŸ…·πŸ…°πŸ†πŸ…³πŸ…ΈπŸ…Ί πŸ…ΉπŸ…ΎπŸ†‚πŸ…·πŸ…Έ -

acontreras_mp profile image

AWS EC2 Instances Types (all you need to know)

Armando Contreras -