How to do it...

  1. Create a new CloudFormation template file; we're going to define the following Resources:
    • An S3 bucket for our CloudTrail log files to be stored in
    • A policy for our S3 bucket that allows the CloudTrail service to write to our bucket
    • A CloudTrail trail
  1. Define an S3 bucket like so. We don't need to give it a name; we'll add the bucket name to the list of Outputs later:
      ExampleTrailBucket: 
        Type: AWS::S3::Bucket
  1. Next, we need to define a policy for our bucket. This section is a little wordy so you may prefer to get this from the code samples instead. This policy essentially allows CloudTrail to do two things to our bucket: s3:GetBucketAcl and s3:PutObject.
      ExampleBucketPolicy: 
        Type: AWS::S3::BucketPolicy 
        Properties: 
          Bucket: !Ref ExampleTrailBucket 
          PolicyDocument: 
            Statement: 
            - Sid: AWSCloudTrailAclCheck20150319 
              Effect: Allow 
              Principal: 
                Service: cloudtrail.amazonaws.com 
                Action: s3:GetBucketAcl 
                Resource: !Join 
                  - "" 
                  - 
                    - "arn:aws:s3:::" 
                    - !Ref ExampleTrailBucket 
            - Sid: AWSCloudTrailWrite20150319 
              Effect: Allow 
              Principal: 
                Service: cloudtrail.amazonaws.com 
              Action: s3:PutObject 
              Resource: !Join 
                - "" 
                - 
                  - "arn:aws:s3:::" 
                  - !Ref ExampleTrailBucket 
                  - "/AWSLogs/" 
                  - !Ref AWS::AccountId 
                  - "/*" 
              Condition: 
                StringEquals: 
                  s3:x-amz-acl: bucket-owner-full-control
  1. Now we can set up our trail.
One thing to note here is that we use DependsOn to make CloudFormation create this trail after it has created the S3 bucket and policy. If you don't do this you'll likely encounter an error when you create the stack because CloudTrail won't be able to access the bucket.
  1. Add the Trail to your template like so:
      ExampleTrail: 
        Type: AWS::CloudTrail::Trail 
        Properties: 
          EnableLogFileValidation: true 
          IncludeGlobalServiceEvents: true 
          IsLogging: true 
          IsMultiRegionTrail: true 
          S3BucketName: !Ref ExampleTrailBucket 
        DependsOn: 
          - ExampleTrailBucket 
          - ExampleBucketPolicy
  1. Finally, we're going to output the name of the S3 bucket where our CloudTrail logs will be stored:
      Outputs: 
        ExampleBucketName: 
          Value: !Ref ExampleTrailBucket 
          Description: Bucket where CloudTrail logs will be stored
  1. You can go ahead and run your CloudFormation stack using the following command:
      aws cloudformation create-stack 
        --template-body file://05-auditing-your-aws-account.yaml 
        --stack-name example-cloudtrail
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset