Pattern: Disabled AWS CloudWatch integration for CloudTrail
Issue: -
CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.
CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs in a specified Amazon S3 bucket for long-term analysis, you can perform real-time analysis by configuring CloudTrail to send logs to CloudWatch Logs.
For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all those Regions to a CloudWatch Logs log group.
Resolution: Enable logging to CloudWatch.
The following example will fail the aws-cloudtrail-ensure-cloudwatch-integration check.
resource "aws_cloudtrail" "bad_example" {
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
}
}
}
The following example will pass the aws-cloudtrail-ensure-cloudwatch-integration check.
resource "aws_cloudtrail" "good_example" {
is_multi_region_trail = true
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.example.arn}:*"
event_selector {
read_write_type = "All"
include_management_events = true
data_resource {
type = "AWS::S3::Object"
values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
}
}
}
resource "aws_cloudwatch_log_group" "example" {
name = "Example"
}