AWS allows you to combine CloudTrail log files from multiple AWS regions and/or separate accounts into a single S3 bucket. Aggregating your log files in a single bucket simplifies storage and managing your Trails, especially for AWS users who utilize Consolidated Billing. Using the CloudTrail reports within CloudCheckr’s Multi-Account View, you can also view this across-account data to gain better insight into how, and where people are interacting with your AWS account.
To configure your AWS account to store the CloudTrail log files from multiple accounts into a single S3 bucket, follow these steps:
1 – Login to the AWS Console using the account where the CloudTrail log files will be stored.
2 – Select the CloudTrail service.
3 – Load the region where you want to enable CloudTrail.
4 – If you have not enabled CloudTrail before, click the Get Started button and go to the next step.
If you already have CloudTrail enabled, skip to step: 10.
5 – Choose ‘Yes’ or ‘No’ for creating a new S3 bucket.
6 – If you chose ‘Yes’, enter the name for the S3 bucket. If you chose ‘No’, choose the destination bucket from the dropdown.
NOTE: If you select ‘No’, you must manually edit the S3 bucket policy to grant CloudTrail write permissions.
7 – Take note of the exact name of the S3 bucket you have designated as the destination bucket for your CloudTrail log files.
8 – OPTIONAL: You can click the Advanced link to configure additional options for CloudTrail, including adding a prefix to the Trails, setting up SNS notifications, or enabling Global Services.*
9 – When you are content with your selections, click Subscribe.
CloudTrail is now configured within this single Region. Next, we have to configure the S3 bucket established during step 6 to grant cross-account permissions to CloudTrail.
10 – Load the S3 Service.
11 – Locate the destination bucket for the CloudTrail log files and click Properties.
12 – Select Permissions.
13 – Click the Edit bucket policy button.
14 – Modify the existing policy to add a line for each additional account whose log files you want delivered to this bucket.
You will need to add a line in the policy for each AWS Account that will be delivering its CloudTrail log files to this bucket. These lines will be entered within the “Action”: “s3:PutObject”, section of the policy.
"Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::cloudtrail--logs/AWSLogs/awsaccountid1/*", "arn:aws:s3:::cloudtrail--logs/AWSLogs/awsaccountid2/*" ],
NOTE: In the above example, “cloudtrail–logs” is the name of the S3 bucket, and “awsaccountidX” is the AWS account number.
See the Setting Bucket Policy for CloudTrail in the AWS documentation for further information: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/aggregating_logs_accounts_bucket_policy.html
15 – Save your updated policy.
16 – Save your updates to the bucket permissions.
The bucket is now configured to accept CloudTrail logs from all accounts that you have added to the bucket permissions.
Next, you must go to the additional accounts and regions and enable CloudTrail, choosing that specific S3 bucket as the log file destination.
To enable CloudTrail within the other region within this same account, simply load the CloudTrail service and select a different region from the one you have already configured. Follow the steps outlined above, but this time, during step 5, choose to place the log files within an already-created bucket, selecting the one we have already configured.
To enable CloudTrail within a different account, start at step 1 above, but this time, during step 5, choose to place the log files within an already-created bucket, selecting the one we have already configured.