Skip to content

7.2

Jump to bottom
Paul Duvall edited this page Nov 14, 2019 · 33 revisions

7.2 Provision a CloudTrail log and view the JSON payload

Review and ensure that you have setup your development environment before going through the steps below.

Create a CloudTrail Log

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-7-cloudtrail.yml

Copy the contents below into the file and save it.

---
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  OperatorEmail:
    Description: Email address to notify when new logs are published.
    Type: String
Resources:
  S3Bucket:
    DeletionPolicy: Retain
    Type: AWS::S3::Bucket
    Properties: {}
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: S3Bucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: AWSCloudTrailAclCheck
          Effect: Allow
          Principal:
            Service: cloudtrail.amazonaws.com
          Action: s3:GetBucketAcl
          Resource:
            Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: S3Bucket
        - Sid: AWSCloudTrailWrite
          Effect: Allow
          Principal:
            Service: cloudtrail.amazonaws.com
          Action: s3:PutObject
          Resource:
            Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: S3Bucket
              - "/AWSLogs/"
              - Ref: AWS::AccountId
              - "/*"
          Condition:
            StringEquals:
              s3:x-amz-acl: bucket-owner-full-control
  Topic:
    Type: AWS::SNS::Topic
    Properties:
      Subscription:
      - Endpoint:
          Ref: OperatorEmail
        Protocol: email
  TopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      Topics:
      - Ref: Topic
      PolicyDocument:
        Version: '2008-10-17'
        Statement:
        - Sid: AWSCloudTrailSNSPolicy
          Effect: Allow
          Principal:
            Service: cloudtrail.amazonaws.com
          Resource: "*"
          Action: SNS:Publish
  myTrail:
    DependsOn:
    - BucketPolicy
    - TopicPolicy
    Type: AWS::CloudTrail::Trail
    Properties:
      S3BucketName:
        Ref: S3Bucket
      SnsTopicName:
        Fn::GetAtt:
        - Topic
        - TopicName
      IsLogging: true
      IsMultiRegionTrail: false

From your AWS Cloud9 environment, run the following command:

aws cloudformation create-stack --stack-name ceoa-7-cloudtrail --template-body file:///home/ec2-user/environment/ceoa/ceoa-7-cloudtrail.yml --parameters ParameterKey=OperatorEmail,ParameterValue=YOUREMAILADDRESS@example.com --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Find your CloudTrail Log in S3

Search for use of KMS keys using Amazon Athena

Additional Resources

Clone this wiki locally