Audit | CloudTrail

Overview

AWS CloudTrail monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis, and remediation actions.

Figure: CloudTrail Implementation Diagram (only for reference). Keep in mind that there will be only one trail in the Security account. (Source: binbash Leverage diagrams, accessed July 6^th 2022).

How do we implement it?

CloudTrail will be configured to enable auditing of all AWS services in all accounts and all regions. We start by delegating the administration of CloudTrail to the Security account. Then we create a single multi-region, organizational trail in that account and configure it to push events to a bucket in the same account.

That way, all the accounts of the organization (existing and new), and all regions (currently enabled or enabled in the future), will ship the events to that centralized trail.

The events will be available in CloudTrail's event history for 90 days whereas the S3 bucket will be configured with a longer retention time.

Tip

The great thing about this setup is that whenever you create new accounts or enable new regions, you won't need to worry about performing additional configuration on CloudTrail.

IaC Terraform Codebase <>

• binbash-management account | Cloudtrail Administrator Delegation
  • Code: management/us-east-1/security-audit
• binbash-security account | Cloudtrail Trail & S3 Bucket
  • Code: security/us-east-1/security-audit
• binbash-security account | KMS Customer Managed Key Permissions
  • Code: security/us-east-1/security-keys

Read more

AWS reference links

Consider the following AWS official links as reference:

• AWS Cloudtrail Overview