Configure CloudTrail logging to CloudWatch Logs and S3. When used with CloudTrail Bucket module, this properly configures CloudTrail logging with a KMS CMK as required by CIS.
Logs can easily be centralized to a central security logging account by creating a bucket in a single account and referencing the bucket and KMS key.
module "cloudtrail-logging" {
source = "git::https://github.com/rhythmictech/terraform-cloudtrail-logging"
region = var.region
cloudtrail_bucket = module.cloudtrail-bucket.bucket_name
kms_key_id = module.cloudtrail-bucket.kms_key_id
}
| Name | Version |
|---|---|
| terraform | >= 0.12.20 |
| Name | Version |
|---|---|
| aws | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloudtrail_bucket | Name of bucket for CloudTrail logs | string |
n/a | yes |
| kms_key_id | KMS key ARN to use for encrypting CloudTrail logs | string |
n/a | yes |
| region | Region that CloudWatch logging and the S3 bucket will live in | string |
n/a | yes |
| cloudtrail_name | Name for the CloudTrail | string |
"cloudtrail-all" |
no |
| iam_path | Path under which to put the IAM role. Should begin and end with a '/'. | string |
"/" |
no |
| lambda_functions | Lambda functions to log. Specify ["arn:aws:lambda"] for all, or [ ] for none. |
list |
[] |
no |
| log_group_name | Name for CloudTrail log group | string |
"cloudtrail2cwl" |
no |
| retention_in_days | How long should CloudTrail logs be retained in CloudWatch (does not affect S3 storage). Set to -1 for indefinite storage. | number |
7 |
no |
| s3_object_level_buckets | ARNs of buckets for which to enable object level logging. Specify ["arn:aws:s3:::"] for all, or [ ] for none. If listing ARNs, make sure to end each one with a /. |
list |
[] |
no |
| tags | Mapping of any extra tags you want added to resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| cloudwatch_loggroup_arn | The arn of the CloudWatch log group |
| cloudwatch_loggroup_name | The name of the CloudWatch log group |