Creating New User/Access Keys and Enabling CloudTrail for All Regions in an Account

The AWS Command Line Interface (CLI)

The examples on this page require use of the AWS Command Line Interface (CLI), a unified tool to manage your AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts. The AWS CLI introduces a new set of simple file commands for efficient file transfers to and from Amazon S3. For more information on the CLI, please visit:

http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html

Creating New AWS User & Access Keys

Note: We strongly recommend you use Roles for Cross-Account Access instead of IAM Access Keys. IAM Access Keys require periodically rotation and can be shared or stolen. Roles for Cross-Account Access are a more secure way of granting programmatic access to your AWS accounts. Only use IAM Access Keys if you absolutely must

We have included the ability to create IAM Users, Groups and Policy through the Amazon CLI. To start, use the command below:

$ aws configure

After running the above command you will be prompted for a secret key, access key, and region. IAM is independent of region so for the region prompt use None or us-west-2.

Example:

$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

Once you are into the system, you can use the following command line to add your user, group, and policy.

& aws iam create-group --group-name CloudCheckrGroup
$ aws iam create-user --user-name CloudCheckrUser
$ aws iam add-user-to-group --user-name CloudCheckrUser --group-name CloudCheckrGroup
$ aws iam get-group --group-name CloudCheckrGroup
$ aws iam put-group-policy --group-name CloudCheckrGroup --policy-name CloudCheckrPolicy --policy-document https://s3.amazonaws.com/checkr3/CC_IAM_FullPolicy.json

If for some reason the above line of code does not work, you will have to download the file from https://s3.amazonaws.com/checkr3/CC_IAM_FullPolicy.json and use the below line instead of the above one:

$ aws iam put-group-policy --group-name CloudCheckrGroup --policy-name CloudCheckrPolicy --policy-document file://C:\Temp\MyPolicyFile.json

If using the above line make sure the path of the file is set to the correct path. After you have created these you need to create an access key with the following script:

$ aws iam create-access-key --user-name CloudCheckrUser

For more information please visit http://docs.aws.amazon.com/cli/latest/userguide/installing.html

 

Enabling CloudTrail for All Regions in an account

The below script will enable CloudTrail for you in all regions for an account. This will create the CloudTrails with the name “awscloudtrail” and log into a single bucket called “mycompany-cloudtrail”.

Begin by inputting the following command in the CLI:

$ aws configure 

After running the above command you will be prompted for a secret key, access key, and region. After you have done this input the following:


$ aws cloudtrail create-subscription --name=awscloudtrail --s3-new-bucket=mycompany-cloudtrail --region ap-northeast-1
$ aws cloudtrail create-subscription --name=awscloudtrail --s3-use-bucket=mycompany-cloudtrail --region ap-southeast-1
$ aws cloudtrail create-subscription --name=awscloudtrail --s3-use-bucket=mycompany-cloudtrail --region ap-southeast-2
$ aws cloudtrail create-subscription --name=awscloudtrail --s3-use-bucket=mycompany-cloudtrail --region eu-central-1
$ aws cloudtrail create-subscription --name=awscloudtrail --s3-use-bucket=mycompany-cloudtrail --region eu-west-1
$ aws cloudtrail create-subscription --name=awscloudtrail --s3-use-bucket=mycompany-cloudtrail --region sa-east-1
$ aws cloudtrail create-subscription --name=awscloudtrail --s3-use-bucket=mycompany-cloudtrail --region us-east-1
$ aws cloudtrail create-subscription --name=awscloudtrail --s3-use-bucket=mycompany-cloudtrail --region us-west-1
$ aws cloudtrail create-subscription --name=awscloudtrail --s3-use-bucket=mycompany-cloudtrail --region us-west-2 

The bucket name used should be something unique. If you attempt to utilize a bucket name which is already in use it will result in an error. We have suggested using the format of mycompany-cloudtrail (ex. Cloudcheckr-cloudtrail). However, this can be anything you choose.

If you are attempting to do this in GovCloud or China Region, reconfigure the commands above to use the proper region below:

$ aws cloudtrail create-subscription --name=awscloudtrail --s3-use-bucket=cloudtrail --region us-gov-west-1
$ aws cloudtrail create-subscription --name=awscloudtrail --s3-use-bucket=cloudtrail --region cn-north-1

You may want to create a single S3 bucket to aggregate all your CloudTrail logs from multiple AWS accounts. To do that, you can use the script above, but you will have to set the parameter “–s3-use-bucket=cloudtrail” to the name of the aggregated S3 bucket you want to use.

After you configure an AWS account to write to the aggregated S3 bucket, you will need to update the bucket policy to allow CloudTrail to write into the appropriate directories in the bucket. You will need to create an entry in the policy for each of the accounts writing to the bucket.

Create your complete bucket policy as shown here. Save into a file such as BucketPolicy.json.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSCloudTrailAclCheck20131101",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::903692715234:root",
          "arn:aws:iam::859597730677:root",
          "arn:aws:iam::814480443879:root",
          "arn:aws:iam::216624486486:root",
          "arn:aws:iam::086441151436:root",
          "arn:aws:iam::388731089494:root",
          "arn:aws:iam::284668455005:root",
          "arn:aws:iam::113285607260:root",
          "arn:aws:iam::035351147821:root"
        ]
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::myBucketName"
    },
    {
      "Sid": "AWSCloudTrailWrite20131101",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::903692715234:root",
          "arn:aws:iam::859597730677:root",
          "arn:aws:iam::814480443879:root",
          "arn:aws:iam::216624486486:root",
          "arn:aws:iam::086441151436:root",
          "arn:aws:iam::388731089494:root",
          "arn:aws:iam::284668455005:root",
          "arn:aws:iam::113285607260:root",
          "arn:aws:iam::035351147821:root"
        ]
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::myBucketName/[optional]myLogFilePrefix/AWSLogs/111111111111/*",
        "arn:aws:s3:::myBucketName/[optional]myLogFilePrefix/AWSLogs/222222222222/*"
      ],
      "Condition": { 
        "StringEquals": { 
          "s3:x-amz-acl": "bucket-owner-full-control" 
        }
      }
    }
  ]
} 

The section which is listed in bold red needs to be edited to reflect the correct bucket names.

The section in bold green will need to be changed to reflect each AWS account you are setting up to write to this S3 bucket.

Once that is complete, you then need to apply the policy to the bucket. To accomplish that, you need to access the AWS account that owns the S3 bucket and run the script below.

Enter the following command in the CLI:

$ aws configure

After running the above command you will be prompted for a secret key and access key. This access key should be for the AWS account that owns the aggregated S3 bucket.

You then need to run the following script.  In the script you need to point the – -bucket section to your S3 bucket and – – policy file section to the local copy of the policy file you created above.

$ aws s3api put-bucket-policy --bucket awscloudtrailaggregatedbucket --policy file://C:BucketPolicy.json