Terraform for an AWS account which receives CloudTrail logs from other accounts.
The following example creates an s3_bucket example and allows accounts 111111111111 and 222222222222 to write CloudTrail logs into that bucket.
$ terraform apply --var 'account_id_list=["111111111111", "222222222222"]' --var 'cloudtrail_s3_bucket_name="example"'
Now accounts 111111111111 and 222222222222 can configure CloudTrail to send logs to the example S3 bucket. The prefix S3 key configured in CloudTrail should be set to that account ID.
Logs will then be delivered to s3:::example/111111111111/AWSLogs/111111111111/* and s3:::example/222222222222/AWSLogs/222222222222/*
If a trail is switched off so logs are no longer being delivered a notification is sent to an SNS topic. This is sent from the lambda-check-cloudtrail function.
This gives an opportunity to check with the relevant AWS account holder that they intended to switch off CloudTrail e.g. that account is being deleted.
Separate alarms are created from certain activity in the account. This is provided by the aws-security-alarms terraform module.
- Root user activity
- Unexpected IP access (configurable)
- Unauthorized activity / failed authentication attempts