CloudTrail

CloudTrail is a service that enables logging and monitoring of API calls made within an AWS account. It records and stores the API activity for various AWS services, such as EC2, S3, Lambda, and many others. The service provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.CloudTrail captures detailed information about each API call, including the identity of the caller, the time of the call, the source IP address of the caller, the request parameters, and the response elements returned by the AWS service. This information is stored in an Amazon S3 bucket, where it can be analyzed, processed, and delivered to other AWS services or third-party tools for further analysis or security and compliance purposes.Using CloudTrail, AWS users can gain insight into who is using their AWS account, what actions they are taking, and when they are taking them. This can help users to monitor their AWS resources, track changes made to their resources, troubleshoot issues, and meet compliance and security requirements.

Terraform Name

aws_cloudtrail

CloudTrail

attributes:

The following arguments are required:

name - (Required) Name of the trail.
s3_bucket_name - (Required) Name of the S3 bucket designated for publishing log files.

The following arguments are optional:

advanced_event_selector - (Optional) Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.
cloud_watch_logs_group_arn - (Optional) Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
cloud_watch_logs_role_arn - (Optional) Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
enable_log_file_validation - (Optional) Whether log file integrity validation is enabled. Defaults to false.
enable_logging - (Optional) Enables logging for the trail. Defaults to true. Setting this to false will pause logging.
event_selector - (Optional) Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.
include_global_service_events - (Optional) Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.
insight_selector - (Optional) Configuration block for identifying unusual operational activity. See details below.
is_multi_region_trail - (Optional) Whether the trail is created in the current region or in all regions. Defaults to false.
is_organization_trail - (Optional) Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.
kms_key_id - (Optional) KMS key ARN to use to encrypt the logs delivered by CloudTrail.
s3_key_prefix - (Optional) S3 key prefix that follows the name of the bucket you have designated for log file delivery.
sns_topic_name - (Optional) Name of the Amazon SNS topic defined for notification of log file delivery.
tags - (Optional) Map of tags to assign to the trail. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

event_selector

data_resource - (Optional) Configuration block for data events. See details below.
exclude_management_event_sources (Optional) - A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.
include_management_events - (Optional) Whether to include management events for your trail. Defaults to true.
read_write_type - (Optional) Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.

data_resource

type - (Required) Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
values - (Required) List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.

insight_selector

insight_type - (Optional) Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.

Advanced Event Selector Arguments

field_selector (Required) - Specifies the selector statements in an advanced event selector. Fields documented below.
name (Optional) - Name of the advanced event selector.

Field Selector Arguments

field (Required) - Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.
ends_with (Optional) - A list of values that includes events that match the last few characters of the event record field specified as the value of field.
equals (Optional) - A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.
not_ends_with (Optional) - A list of values that excludes events that match the last few characters of the event record field specified as the value of field.
not_equals (Optional) - A list of values that excludes events that match the exact value of the event record field specified as the value of field.
not_starts_with (Optional) - A list of values that excludes events that match the first few characters of the event record field specified as the value of field.
starts_with (Optional) - A list of values that includes events that match the first few characters of the event record field specified as the value of field.

‍

Associating resources with a

CloudTrail

Resources do not "belong" to a

CloudTrail

Rather, one or more Security Groups are associated to a resource.

‍

Create

CloudTrail

via Terraform:

The following HCL enable CloudTrail to capture all compatible management events in region. For capturing events from services like IAM, include_global_service_events must be enabled.

Syntax:

data "aws_caller_identity" "current" {}

resource "aws_cloudtrail" "foobar" {
name = "tf-trail-foobar"
s3_bucket_name = aws_s3_bucket.foo.id
s3_key_prefix = "prefix"
include_global_service_events = false
}

resource "aws_s3_bucket" "foo" {
bucket = "tf-test-trail"
force_destroy = true
}

data "aws_iam_policy_document" "foo" {
statement {
sid = "AWSCloudTrailAclCheck"
effect = "Allow"

principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}

actions = ["s3:GetBucketAcl"]
resources = [aws_s3_bucket.foo.arn]
}

statement {
sid = "AWSCloudTrailWrite"
effect = "Allow"

principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}

actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.foo.arn}/prefix/AWSLogs/${data.aws_caller_identity.current.account_id}/*"]

condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
}
}
resource "aws_s3_bucket_policy" "foo" {
bucket = aws_s3_bucket.foo.id
policy = data.aws_iam_policy_document.foo.json
}

Create

CloudTrail

via CLI:

Parameters:

create-trail
--name <value>
--s3-bucket-name <value>
[--s3-key-prefix <value>]
[--sns-topic-name <value>]
[--include-global-service-events | --no-include-global-service-events]
[--is-multi-region-trail | --no-is-multi-region-trail]
[--enable-log-file-validation | --no-enable-log-file-validation]
[--cloud-watch-logs-log-group-arn <value>]
[--cloud-watch-logs-role-arn <value>]
[--kms-key-id <value>]
[--is-organization-trail | --no-is-organization-trail]
[--tags-list <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]

Example:

aws cloudtrail create-trail --name Trail1 --s3-bucket-name my-bucket --is-multi-region-trail

Costs

AWS CloudTrail is a pay-as-you-go service, which means that you only pay for the events recorded in your account. The cost of CloudTrail is determined by the number of events recorded and the retention period of the logs.

CloudTrail

Terraform Name

event_selector

data_resource

insight_selector

Advanced Event Selector Arguments

Field Selector Arguments

Costs

Indirect Cost

MITRE ATT&CK for AWS: Understanding Tactics, Detection, and Mitigation

IAM best practices and troubleshooting tips for AWS EKS