CloudTrail Solution

We will be using CloudTrail and possibly other logging applications such as AWS Detective to implement into our organization.

(Source Amazon.com)

Benefits of CloudTrail:

• Always on: CloudTrail is always monitoring events and keeping a record of them for 90-days
• You can configure CloudTrail to monitor multiple accounts in a single location which can help when creating new accounts to an organization
• Log files can be encrypted to ensure that it hasn’t been modified
• Logs will be stored in the Amazon S3 bucket

Goal and Tasks:

Since we are creating a new organization, were will need to setup CloudTrail for the organization and not just for the user.

To do that, we need make sure we have the proper permissions for an IAM user or role-based organization. According to Amazon, “When you create an organization trail in the console, or when you enable CloudTrail as a trusted service in Organizations, this creates a service-linked role to perform logging tasks in your organization's member accounts.”

The role name is called AWSServiceRoleForCloudTrail. Additionally, any account added to the organization will automatically be added to the CloudTrail Log system. This means Administrators can see their activity immediately.

You can utilize CloudTrail in three ways, AWS CLI, AWS Management Console, and finally SDK. We will be using both AWS CLI and AWS Management Console. I will add more information once I get my academy account setup. Stay tuned!

Useful links:

https://aws.amazon.com/cloudtrail/features/ https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html