Creating an Aggregate S3 Bucket for CloudTrail

Introduction

AWS allows you to combine CloudTrail log files from multiple AWS regions and/or separate accounts into a single S3 bucket. Aggregating your log files in a single bucket simplifies storage and managing your Trails, especially for AWS users who utilize Consolidated Billing. Using the CloudTrail reports within CloudCheckr’s Multi-Account View, you can also view this across-account data to gain better insight into how, and where people are interacting with your AWS account.


Procedure

To configure your AWS account to store the CloudTrail log files from multiple accounts into a single S3 bucket, follow these steps:

 

  1. Log in to your Amazon Web Services Management Console.
  2. Load the CloudTrail Dashboard.

  3. Load the region where you want to enable CloudTrail.
  4. If you have not enabled CloudTrail before, click Get Started.

    Note: If you already have CloudTrail enabled, skip to step 8.

  5. Select Yes or No to create a new S3 bucket.


    Note: If you select Yes, type the name for the S3 bucket.

    If you select No, select the destination bucket from the drop-down menu where you want the CloudTrail logs to be sent.  You must also manually edit the S3 bucket policy to grant CloudTrail write permissions.

  6. Write down the name of the S3 bucket.

    Note: Click Advanced to configure additional options for CloudTrail, such as adding a prefix to the Trails, log validation, setting up SNS notifications, or creating a new SNS topic.

  7. Click Subscribe.

    CloudTrail is now configured for the selected region.

  8. To configure the S3 bucket to grant cross-account permissions to CloudTrail, load the S3 service.
  9. Locate the S3 bucket you desigated earlier as the destination for the CloudTrail log files and click Properties.
  10. Select Permissions.
  11. Click the Edit bucket policy button.
  12. Modify the existing policy to add a line for each additional account whose log files you want delivered to this bucket. Enter these lines within the “Action”: “s3:PutObject”, section of the policy.
    "Action": "s3:PutObject",
          "Resource": [
            "arn:aws:s3:::cloudtrail--logs/AWSLogs/awsaccountid1/*",
            "arn:aws:s3:::cloudtrail--logs/AWSLogs/awsaccountid2/*" ],

    Note: In the example, cloudtrail–logs is the name of the S3 bucket, and awsaccountidX is the AWS account number.

    Note: 
    See the Setting Bucket Policy for CloudTrail in the AWS documentation for further information.

  13. Save your updated policy.

    The bucket is now configured to accept CloudTrail logs from all accounts that you have added to the bucket permissions.

  14. For the remaining accounts and regions, enable CloudTrail and choose the same S3 bucket as the log file destination.

To Enable CloudTrail within Another Region in the Same Account:

  • Load the CloudTrail service.
  • Select a different region from the one you have already configured.
  • Follow the above procedure but choose the S3 bucket you configured earlier.

To Enable CloudTrail within a Different Account:

  • Choose to place the log files within an already-created bucket, selecting the one we have already configured.
  • Follow the above procedure but choose the S3 bucket you configured earlier.

Leave a Reply