How to do it…

Follow these steps to set up a new trail with CloudFormation. A trail is a single configuration for logging audit records using CloudTrail. Multiple trails can be configured:

  1. Create a new CloudFormation template file named 05-01-CloudTrail.yml; you're going to define the following resources:
    • An S3 bucket for our CloudTrail log files to be stored in
    • A policy for our S3 bucket that allows the CloudTrail service to write to our bucket
    • A CloudTrail trail
It's actually good practice to avoid giving names to your CloudFormation resources. Let CloudFormation name then for you—by doing this, you are guaranteed to avoid naming conflicts. Use output parameters and cross-stack references instead of copying and pasting hardcoded names.
  1. First, define an S3 bucket. We don't need to give it a name; we'll add the bucket name to the list of Outputs later:
Resources:
  ExampleTrailBucket: 
    Type: AWS::S3::Bucket

  1. Next, you need to define a policy for your bucket. This section is a little wordy, so you may prefer to get this from the code samples instead. This policy essentially allows CloudTrail to do two things to our bucket: s3:GetBucketAcl and s3:PutObject:


  ExampleBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ExampleTrailBucket
      PolicyDocument:
        Statement:
          - Sid: AWSCloudTrailAclCheck20150319
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:GetBucketAcl
            Resource: !Join
              - ""
              -
                - "arn:aws:s3:::"
                - !Ref ExampleTrailBucket
          - Sid: AWSCloudTrailWrite20150319
            Effect: Allow
            Principal:
              Service: cloudtrail.amazonaws.com
            Action: s3:PutObject
            Resource: !Join
              - ""
              -
                - "arn:aws:s3:::"
                - !Ref ExampleTrailBucket
                - "/AWSLogs/"
                - !Ref AWS::AccountId
                - "/*"
            Condition:
              StringEquals:
                s3:x-amz-acl: bucket-owner-full-control

  1. Now, you can set up your trail. One thing to note here is that we use DependsOn to make CloudFormation create this trail after it has created the S3 bucket and policy. If you don't do this, you'll likely encounter an error when you create the stack because CloudTrail won't be able to access the bucket. Also, setting IsMultiRegionTrail to true is considered good practice. Add Trail to your template:
  ExampleTrail:
    Type: AWS::CloudTrail::Trail
    Properties:
      EnableLogFileValidation: true
      IncludeGlobalServiceEvents: true
      IsLogging: true
      IsMultiRegionTrail: true
      S3BucketName: !Ref ExampleTrailBucket
    DependsOn:
      - ExampleTrailBucket
      - ExampleBucketPolicy
  1. Finally, you're going to output the name of the S3 bucket where your CloudTrail logs will be stored:
  Outputs:
    ExampleBucketName:
      Value: !Ref ExampleTrailBucket
      Description: Bucket where CloudTrail logs will be stored
  1. Run your CloudFormation stack using the following command:
 aws cloudformation create-stack 
 --template-body file://05-01-CloudTrail.yml 
 --stack-name example-cloudtrail
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset