CloudTrail Logs to a Single AWS s3 bucket from Multiple AWS accounts - isgaur/AWS-BigData-Solutions GitHub Wiki
Introduction
Scenario: Customer has a number of accounts with AWS, and wants to enable CloudTrail logging on all of them. However, they want all logs to be delivered to one S3 bucket and ensure all logs are encrypted with a KMS key. They want to restrict log access and KMS key access to their security team (aka a security role). Let us assume customer has four accounts - Account A, B, and C; we will designate Account A as the security account where the logs are to be stored.
Prerequisite Knowledge
If you create a S3 bucket and a KMS CMK via the CloudTrail console, CloudTrail adds the required CMK and bucket policy sections for you.
Context Via the Console:
Step 1: Create a CloudTrail trail via the CloudTrail Console in Account A
-
Sign in to the AWS Management Console, and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/. -
Choose the region where you want the trail to be created. -
Choose Trails in the left side menu. -
On the Create Trail page, for Trail name, type a name for your trail. -
For Apply trail to all regions, choose Yes to receive log files from all regions.By default, when you create a trail in a region in the CloudTrail console, the trail applies to all regions.
-
For Management events, for Read/Write events, choose if you want your trail to log All, Read-only, Write-only, or None, and then choose Save.By default, trails log All management events.
-
For Data events, type the S3 bucket name and prefix (optional) for which you want to log object-level operations. For each resource, specify whether you want to log Read-only, Write-only, or All events. By default, trails don't log data events.
Step 2: Create an S3 bucket via the CloudTrail Console
-
For Storage location, for Create a new S3 bucket, choose Yes to create a new bucket. -
For S3 bucket, type a name for the bucket you want to designate for log file storage. -
Choose Create.
Step 3: Enable Log Encryption and Create a KMS CMK via the CloudTrail Console
-
For Storage location, choose Advanced.
-
In the Log file prefix field, type a prefix for your Amazon S3 bucket.
-
For Encrypt log files, choose Yes to allow AWS KMS to encrypt your log files.
-
For Create a new KMS key, choose Yes to create a new key
-
If you chose Yes, in the KMS key field, type an alias.
-
For Enable log file validation, choose Yes to have log digests delivered to your S3 bucket.
You can use the digest files to verify that your log files did not change after CloudTrail delivered them.
-
For Send SNS notification for every log file delivery, choose Yes if you want to be notified each time a log is delivered to your bucket. If you choose yes, the Create a new SNS topic, and remember subscribe to the topic to be notified of log file delivery.
-
Choose Create.
Step 4: Update the bucket policy to grant cross-account permissions to CloudTrail
-
Sign in to the AWS Management Console of Account A and open the Amazon S3 console. -
Choose the bucket where CloudTrail delivers your log files and then choose Properties. -
Choose Permissions. -
Choose Bucket Policy > Edit.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::my-bucket" }, { "Sid": "AWSCloudTrailWrite", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::my-bucket/", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } }, { "Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::my-bucket/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "aws:kms",
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:region:account:key/key-id"
}
}
}
]
}
Step 5: Modify your KMS key policy to allow Cross Account Use of Key
{
"Version": "2012-10-17",
"Id": "Key policy for CloudTrail",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::aws-account-id-A:root",
"arn:aws:iam::aws-account-id-A:user/username",
"arn:aws:iam::aws-account-id-A:role/rolename"
]
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow CloudTrail to encrypt logs",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": "kms:GenerateDataKey*",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": [
"arn:aws:cloudtrail:*:aws-account-id-A:trail/*",
"arn:aws:cloudtrail:*:aws-account-id-B:trail/*",
"arn:aws:cloudtrail:*:aws-account-id-C:trail/*"
]
}
}
},
{
"Sid": "Allow CloudTrail to describe key",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudtrail.amazonaws.com"
]
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow principals in the account to decrypt log files",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "aws-account-id-A"
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:aws-account-id-A:trail/*"
}
}
},
{
"Sid": "Enable cross account log decryption",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Decrypt",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": [
"aws-account-id-B",
"aws-account-id-C"
]
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": [
"arn:aws:cloudtrail:*:aws-account-id-B:trail/*",
"arn:aws:cloudtrail:*:aws-account-id-C:trail/*"
]
}
}
}
]
}
Step 6: Turn on CloudTrail in the accounts B and C. Configure CloudTrail in these accounts to use the same bucket belonging to the account that you specified in step 2.
-
Sign into the AWS management console using account B credentials and open the AWS CloudTrail console. In the navigation bar, select the region where you want to turn on CloudTrail. -
Choose Get Started Now. -
On the following page, type a name for your trail in the Trail name box. -
For Create a new S3 bucket?, choose No. Use the text box to enter the name of the bucket you created previously for storing log files when you signed in using account A credentials. -
Choose Advanced. -
In the Log file prefix field, enter the same prefix you entered for storing log files when you turned on CloudTrail using account A credentials. -
(Optional) Choose Yes or No for SNS notification for every log file delivery?. If you chose Yes, type a name for your Amazon SNS topic in the SNS topic (new) field. -
Choose Turn On.
For the third-party accounts wanting to write encrypted logs to an S3 bucket in the "bucket and key" account, you need to select Yes for encryption and then specify the full ARN of the key in the "bucket and key" account. In about 15 minutes, CloudTrail starts publishing log files that show the AWS calls made in all the accounts since you completed the preceding step