NOTE: This repo contains only the documentation for the private BoltsOps Pro repo code. Original file: https://github.com/boltopspro/enable-aws-cloudtrail/blob/master/README.md The docs are publish so they are available for interested customers. For access to the source code, you must be a paying BoltOps Pro subscriber. If are interested, you can contact us at contact@boltops.com or https://www.boltops.com
This blueprint can be used to enable CloudTrail in your AWS account.
- Enables MultiRegion trail by default, so you don't have to enable CloudTrail individually in each region.
- Creates a KMS key to encrypt the CloudTrail trail.
- Creates an S3 bucket with the proper IAM permissions to store the CloudTrail logs.
- Creates an S3 bucket to store the access logs.
- Creates a CloudWatch Log Group to store the CloudTrail logs for easier searching and compliance.
- Creates an SNS Topic you can subscribe to for notification. You enable this with
NotificationEmailandPublishToTopicparameters.
Related Blueprints:
- boltopspro/aws-config-aggregator
- boltopspro/aws-config-bucket
- boltopspro/enable-aws-cloudtrail
- boltopspro/enable-aws-config
- boltopspro/enable-aws-guardduty
- Add blueprint to Gemfile
- Configure: configs/enable-aws-cloudtrail values
- Deploy
Add the blueprint to your lono project's Gemfile.
gem "enable-aws-cloudtrail", git: "git@github.com:boltopspro/enable-aws-cloudtrail.git"First you want to configure the configs/enable-aws-cloudtrail config files. You can use lono seed to configure starter values quickly.
LONO_ENV=development lono seed enable-aws-cloudtrail
For additional environments:
LONO_ENV=production lono seed enable-aws-cloudtrail
The generated files in config/enable-aws-cloudtrail folder look something like this:
configs/enable-aws-cloudtrail/
├── params
│ ├── development.txt
│ └── production.txt
└── variables
├── development.rb
└── production.rb
Here's an example params file.
configs/enable-aws-cloudtrail/params/development.txt:
# Parameter Group: Trail Configuration
# EnableLogFileValidation=true
# IncludeGlobalEvents=false
# MultiRegion=true
# Parameter Group: Delivery Notifications
# NotificationEmail=
# PublishToTopic=false
# Parameter Group: AWS::KMS::Alias
# AliasName=cloudtrail
# Parameter Group: AWS::Logs::LogGroup
# LogGroupName= # cloudtrail
# RetentionInDays= # 7
Use the lono cfn deploy command to deploy. Example:
LONO_ENV=development lono cfn deploy enable-aws-config
LONO_ENV=production lono cfn deploy enable-aws-config
By default, a MultiRegion region trail is created. This spares you from having to create a CloudTrail trail in each region.
By default, both the S3 Buckets used for Storage and AccessLogs has a DeletionPolicy of Retain. This means that if you delete the stacks, the S3 Buckets will remain. If you would like to have the buckets be deleted, use the @deletion_policy variable. Example:
configs/enable-aws-cloudtrail/variables/development.rb:
@deletion_policy = "Delete"Note, with a DeletionPolicy of Delete, the stack will rollback when you try to delete it because the S3 Buckets are not empty. You must first:
- Turn off Logging on the CloudTrail Configuration. You can do this on the CloudTrail Console. There's a Logging ON Toggle switch on the upper-right hand corner.
- Empty the S3 Buckets. You can this on the S3 Console. There's an Empty button on the upper-right hand corner.
- Then you can delete CloudFormation stack cleanly.