AWS CloudTrail — Cross Account setup for collecting event logs using console and aws-cli commands
In this post, I will explain how to enable cross account setup for collecting AWS CloudTrail Event Logs
Objective:
Consider we have different AWS accounts (dev, test, staging, prod) in our org. For compliance and auditing of each account we need to collect the event logs and store it in a centralised account. The logs provide the details of every activity that happened to the account through AWS management console, AWS SDK’s and other AWS services (E.g., scheduled tasks that run through AWS ECS or AWS CloudWatch).
Use case:
Collect the CloudTrail Logs from Account A (dev-account), Account B (test-account), Account C (staging-account), Account D (prod-account) and store it in Account Z (compliance-archive-account). Maintain separate AWS S3 bucket for each account in Account Z for easy accessibility and maintenance.
(Format of the bucket: “org.dev.account.cloudtrail.logs”)
Implementation:
1. Login to Account A (dev-account). Every account in AWS will be associated with Account ID (12-digit number). You can find the id at the top right end of your AWS management console where your account details can be found. In case if you are not able find it , go to AWS IAM, select any role and look for ARN of that role. You can get the 12 digit account id as mentioned below. (masked part in the below screen shot)
2. Login to Account Z (compliance-archive-account), go to AWS S3, create a bucket ‘org.dev.account.cloudtrail.logs’. Navigate to permissions tab of the bucket and create bucket policy to give access to Account A for writing the logs.
“Resource”:“arn:aws:s3:::org.dev.account.cloudtrail.logs’/AWSLogs/XXXXXXXXXXXX/*”
XXXXXXXXXXXX -> the account Id retrieved from Step 1
3. Create a trail in Account A. This is to enable the event logging and to provide the bucket details created in step 2.
We can do the this in 2 ways. (Manual or Scripted which can be called as part of deploy jobs or through any services)
a. Creating Trail in scripted way using aws-cli commands
In the script, use the below commands to create & enable the trail for logging.
aws cloudtrail create-trail — name log-archive-trail — s3-bucket-name $s3_bucket_name — region $TARGET_REGION
aws cloudtrail put-event-selectors — trail-name log-archive-trail — region $TARGET_REGION — event-selectors ‘[{“ReadWriteType”: “All”,”IncludeManagementEvents”: true,”DataResources”: [{“Type”:”AWS::S3::Object”, “Values”: [“arn:aws:s3:::”]}]}]’
The above commands will create the cloud Trail but the status of the trail will be in disabled mode. To enable the trail,
aws cloudtrail start-logging — name log-archive-trail
After the successful run of the script. Login to Account A, Select AWS CloudTrail from services. The trail ‘log-archive-trail’ created will be found with status as ‘Active’
b. Creating the Trail through AWS Management Console
1. Login to Account A, select AWS CloudTrail from services
2. Click on Create Trail
3. Enter the trail name as log-archive-trail, if we want to enable trail for all the regions in the Account A, select ‘Yes’ Apply trail to all regions or ‘No’, for the current region
4. In case if we want to get additional events or actions that happens to buckets in AWS S3 or Lambda. Enable the option as shown below,
For S3,
For Lambda,
5. Provide the S3 bucket name created for collected for collecting the logs from Account Z (compliance-archive-account)
Trail is now enabled, and the logs will be collected in Account Z (compliance-archive-account)
