This is a terraform module that creates an Amazon Web Services (AWS) CloudTrail integration with Bridgecrew.
This stack is created with all the best practices and CIS benchmark requirements:
- A dedicated CMK is created, with rotation enabled.
- A CloudTrail trail is created, and it's logs are encrypted-at-rest using the dedicated CMK.
- The logs bucket has Versioning enabled and denies unsecure (non-HTTPS) connections.
The module supports connecting to an existing CloudTrail trail. This requires 3 inputs:
- Setting
create_cloudtrailto false. - Supplying the name of the bucket where the CloudTrail logs are being saved to, as
existing_bucket_name. - Supplying the ARN of the SNS used by the trail to notify of new logs, in
existing_sns_arn. This can be configured manually on the existing trail. - If a KMS key is associated with this CloudTrail, update the key policy to allow Bridgecrew to decrypt. For example:
{
"Sid" : "Enable Bridgecrew log decryption",
"Effect": "Allow",
"Principal": {
"AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.company_name}-bc-bridgecrewcwssarole"
},
"Action": [ "kms:Decrypt", "kms:ReEncryptFrom" ],
"Resource": "*",
"Condition": {
"StringEquals" : {
"kms:CallerAccount" : "${data.aws_caller_identity.current.account_id}" },
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn" : "arn:aws:cloudtrail:*:${data.aws_caller_identity.current.account_id}:trail/*"
}
}
},This module supports creating a CloudTrail trail in one account, and creating the rest of the infrastructure in a separate account. This may be optimal in cases where you want an organization trail from the organization master, but you want it to send logs to a bucket in a logs account.
- Set
create_cloudtrailto false. - Set
source_account_idto the account that will host the cloudtrail
- Set
existing_bucket_name,existing_kms_key_arn, andexisting_sns_arnto values output in the previous step - Set
create_bridgecrew_connectionto false
In both accounts, be sure to set the organization_id if this is an organization-wide trail.
Include module.cloudtrail.tf in your existing Terraform code, and/or see example/examplea as your guide:
module "cloudtrail" {
source = "bridgecrewio/bridgecrew-cloudtrail/aws"
version = "v1.5.4"
org_name = "<your org name>"
aws_profile = "<aws profile>"
api-token = var.api_token
}Set your api_token as an environmental variable not in your code:
export TF_VAR_api_token= "xxxxxx-xxxxx-xxxx-xxxxxx"
No requirements.
| Name | Version |
|---|---|
| aws | n/a |
| null | n/a |
| random | n/a |
| template | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_alias | The alias of the account the CF is deployed in. This will be prepended to all the resources in the stack. Default is {company_name}-bc | string |
"" |
no |
| api_token | This is your Bridgecrew platform Api token Set as and Environment variable TF_VAR_api_token | string |
n/a | yes |
| aws_profile | The profile that was used to deploy this module. If the default profile / default credentials are used, set this value to null. | string |
n/a | yes |
| bridgecrew_account_id | The Account number of Bridgecrew. Internal use only | string |
"890234264427" |
no |
| company_name | The name of the company the integration is for. Must be alphanumeric. | string |
n/a | yes |
| create_bridgecrew_connection | Indicate whether the SQS queue and IAM policies for Bridgecrew need to be set up. This may be false if you are connecting a cloudtrail in a new account to an existing bucket. | bool |
true |
no |
| create_cloudtrail | Indicate whether a new CloudTrail trail should be created. If not - existing_sns_arn and existing_bucket_name are required parameters. | bool |
true |
no |
| existing_bucket_name | When connecting to an existing CloudTrail trail, please supply the existing trail's bucket name (NOT ARN). | string |
null |
no |
| existing_sns_arn | When connecting to an existing CloudTrail trail, please supply the existing trail's SNS ARN. | string |
null |
no |
| log_file_expiration | n/a | number |
30 |
no |
| log_file_prefix | The prefix which will be given to all the log files saved to the bucket. | string |
"" |
no |
| logs_bucket_id | Bucket to place access logs from the cloudtrail bucket | string |
null |
no |
| organization_id | ID or the organization (for org-wide cloudtrails) | string |
"" |
no |
| security_account_id | When connecting to an existing CloudTrail trail, which puts its logs in a bucket which is in another account | string |
"" |
no |
| topic_name | The SNS topic name for Bridgecrew integration. Internal use only | string |
"handle-customer-actions" |
no |
| Name | Description |
|---|---|
| customer_name | The customer name as defined on Bridgecrew signup |
| deployment_region | The region that the customer ran this module |
| kms_key_id | The KMS key cloudtrail will use for encryption |
| role_arn | The cross-account access role ARN for Bridgecrew |
| s3_bucket_name | The s3 bucket name for cloudtrail. |
| s3_key_prefix | The s3 log prefix for cloudtrail, inside the bucket. |
| sns_topic_name | The sns topic cloudtrail will push to. |
| sqs_queue_arn | The SQS queue ARN to share with Bridgecrew for CloudTrail integration |
| sqs_queue_url | The SQS queue URL to share with Bridgecrew for CloudTrail integration |
| template_version | Bridgecrew.io template version. |
Check out these related projects.
Got a question?
File a GitHub issue.
Please use the issue tracker to report any bugs or file feature requests.
Copyright © 2020-2021 Bridgecrew
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.