NOTE: This repo contains only the documentation for the private BoltsOps Pro repo code. Original file: https://github.com/boltopspro/enable-aws-cloudtrail/blob/master/README.md The docs are publish so they are available for interested customers. For access to the source code, you must be a paying BoltOps Pro subscriber. If are interested, you can contact us at email@example.com or https://www.boltops.com
Enable AWS CloudTrail CloudFormation Blueprint
This blueprint can be used to enable CloudTrail in your AWS account.
- Enables MultiRegion trail by default, so you don't have to enable CloudTrail individually in each region.
- Creates a KMS key to encrypt the CloudTrail trail.
- Creates an S3 bucket with the proper IAM permissions to store the CloudTrail logs.
- Creates an S3 bucket to store the access logs.
- Creates a CloudWatch Log Group to store the CloudTrail logs for easier searching and compliance.
- Creates an SNS Topic you can subscribe to for notification. You enable this with
- Add blueprint to Gemfile
- Configure: configs/enable-aws-cloudtrail values
Add the blueprint to your lono project's
gem "enable-aws-cloudtrail", git: "firstname.lastname@example.org:boltopspro/enable-aws-cloudtrail.git"
LONO_ENV=development lono seed enable-aws-cloudtrail
For additional environments:
LONO_ENV=production lono seed enable-aws-cloudtrail
The generated files in
config/enable-aws-cloudtrail folder look something like this:
configs/enable-aws-cloudtrail/ ├── params │ ├── development.txt │ └── production.txt └── variables ├── development.rb └── production.rb
Here's an example params file.
# Parameter Group: Trail Configuration # EnableLogFileValidation=true # IncludeGlobalEvents=false # MultiRegion=true # Parameter Group: Delivery Notifications # NotificationEmail= # PublishToTopic=false # Parameter Group: AWS::KMS::Alias # AliasName=cloudtrail # Parameter Group: AWS::Logs::LogGroup # LogGroupName= # cloudtrail # RetentionInDays= # 7
Use the lono cfn deploy command to deploy. Example:
LONO_ENV=development lono cfn deploy enable-aws-config LONO_ENV=production lono cfn deploy enable-aws-config
By default, a MultiRegion region trail is created. This spares you from having to create a CloudTrail trail in each region.
S3 Bucket DeletionPolicy
By default, both the S3 Buckets used for Storage and AccessLogs has a DeletionPolicy of
Retain. This means that if you delete the stacks, the S3 Buckets will remain. If you would like to have the buckets be deleted, use the
@deletion_policy variable. Example:
@deletion_policy = "Delete"
Note, with a DeletionPolicy of
Delete, the stack will rollback when you try to delete it because the S3 Buckets are not empty. You must first:
- Turn off Logging on the CloudTrail Configuration. You can do this on the CloudTrail Console. There's a Logging ON Toggle switch on the upper-right hand corner.
- Empty the S3 Buckets. You can this on the S3 Console. There's an Empty button on the upper-right hand corner.
- Then you can delete CloudFormation stack cleanly.