Configure CloudTrail logging to CloudWatch Logs and S3. When used with CloudTrail Bucket module, this properly configures CloudTrail logging with a KMS CMK as required by CIS.
Logs can easily be centralized to a central security logging account by creating a bucket in a single account and referencing the bucket and KMS key.
module "cloudtrail-logging" {
source = "git::https://github.com/rhythmictech/terraform-cloudtrail-logging"
region = var.region
cloudtrail_bucket = module.cloudtrail-bucket.bucket_name
kms_key_id = module.cloudtrail-bucket.kms_key_id
}
Name | Version |
---|---|
terraform | >= 0.12.20 |
Name | Version |
---|---|
aws | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
cloudtrail_bucket | Name of bucket for CloudTrail logs | string |
n/a | yes |
kms_key_id | KMS key ARN to use for encrypting CloudTrail logs | string |
n/a | yes |
region | Region that CloudWatch logging and the S3 bucket will live in | string |
n/a | yes |
cloudtrail_name | Name for the CloudTrail | string |
"cloudtrail-all" |
no |
iam_path | Path under which to put the IAM role. Should begin and end with a '/'. | string |
"/" |
no |
lambda_functions | Lambda functions to log. Specify ["arn:aws:lambda"] for all, or [ ] for none. |
list |
[] |
no |
log_group_name | Name for CloudTrail log group | string |
"cloudtrail2cwl" |
no |
retention_in_days | How long should CloudTrail logs be retained in CloudWatch (does not affect S3 storage). Set to -1 for indefinite storage. | number |
7 |
no |
s3_object_level_buckets | ARNs of buckets for which to enable object level logging. Specify ["arn:aws:s3:::"] for all, or [ ] for none. If listing ARNs, make sure to end each one with a / . |
list |
[] |
no |
tags | Mapping of any extra tags you want added to resources | map(string) |
{} |
no |
Name | Description |
---|---|
cloudwatch_loggroup_arn | The arn of the CloudWatch log group |
cloudwatch_loggroup_name | The name of the CloudWatch log group |