全リージョンでCloudTrailを有効にしたときのメモ
テンプレートはこちらをベースにさせてもらいました
https://gist.github.com/ryo0301/1ccf39346934f03dc28b
事前にCloudFormation用のテンプレートを保存するs3bucketを作ってWebアクセスを許可しておいてください
今後出てくる[bucket-for-cloudformation-template]はここで作成したバケット名に書き換えてください
cloudtrailのデータ保存先s3bucketを作成
テンプレートのベースとして以下のファイルを利用します。
SNSは今回不要なので、OperatorEmailとTopic, TopicPolicy, SNSTopicNameは削除します。
cf-audit-outputs.template
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Parameters" : {
"ExpirationInDays" : {
"Description" : "Expiration of the CloudTrail logs in days",
"Type" : "Number",
"Default" : 365
}
},
"Resources" : {
"Bucket" : {
"DeletionPolicy" : "Retain",
"Type" : "AWS::S3::Bucket",
"Properties" : {
"LifecycleConfiguration" : {
"Rules" : [
{
"Status" : "Enabled",
"ExpirationInDays" : {"Ref" : "ExpirationInDays"}
}
]
}
}
},
"BucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"Bucket" : {"Ref" : "Bucket"},
"PolicyDocument" : {
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AWSCloudTrailAclCheck",
"Effect" : "Allow",
"Principal" : {
"AWS" : [
"arn:aws:iam::903692715234:root",
"arn:aws:iam::859597730677:root",
"arn:aws:iam::814480443879:root",
"arn:aws:iam::216624486486:root",
"arn:aws:iam::086441151436:root",
"arn:aws:iam::388731089494:root",
"arn:aws:iam::284668455005:root",
"arn:aws:iam::113285607260:root",
"arn:aws:iam::035351147821:root"
]
},
"Action" : "s3:GetBucketAcl",
"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "Bucket"}]]}
},
{
"Sid" : "AWSCloudTrailWrite",
"Effect" : "Allow",
"Principal" : {
"AWS" : [
"arn:aws:iam::903692715234:root",
"arn:aws:iam::859597730677:root",
"arn:aws:iam::814480443879:root",
"arn:aws:iam::216624486486:root",
"arn:aws:iam::086441151436:root",
"arn:aws:iam::388731089494:root",
"arn:aws:iam::284668455005:root",
"arn:aws:iam::113285607260:root",
"arn:aws:iam::035351147821:root"
]
},
"Action" : "s3:PutObject",
"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "Bucket"}, "/AWSLogs/", {"Ref" : "AWS::AccountId"}, "/*"]]},
"Condition" : {
"StringEquals" : {
"s3:x-amz-acl" : "bucket-owner-full-control"
}
}
}
]
}
}
}
},
"Outputs" : {
"S3BucketName" : {
"Value" : {"Ref" : "Bucket"},
"Description" : "Name of the newly created S3 bucket."
}
}
}
テンプレートのアップロードとcloudformationでのs3バケットの作成
% aws s3 cp cf-audit-outputs.template s3://[bucket-for-cloudformation-template]/cf-audit-outputs.template
% aws cloudformation create-stack --stack-name audit-s3 --region ap-northeast-1 --template-url https://s3-ap-northeast-1.amazonaws.com/[bucket-for-cloudformation-template]/cf-audit-outputs.template
実行結果確認方法
% aws cloudformation describe-stack-resources --stack-name audit-s3
今後出てくる[bucket-for-cloudtrail]はここで確認できるS3バケット名に書き換えてください
cloudtrailの設定
テンプレートのベースとして以下のファイルを利用します。
https://gist.github.com/ryo0301/1ccf39346934f03dc28b#file-cf-audit-cloudtrail-template
% aws s3 cp cf-audit-cloudtrail.template s3://[bucket-for-cloudformation-template]/cf-audit-cloudtrail.template
global serviceのログは東京リージョンに保存します。
東京リージョン
% aws cloudformation create-stack --stack-name audit-cloudtrail --region ap-northeast-1 --template-url https://s3-ap-northeast-1.amazonaws.com/[bucket-for-cloudformation-template]/cf-audit-cloudtrail.template --parameters ParameterKey=BucketName,ParameterValue=[bucket-for-cloudtrail],UsePreviousValue=true ParameterKey=IncludeGlobalServiceEvents,ParameterValue=true,UsePreviousValue=true
東京リージョン以外
% REGIONS=("ap-southeast-1" "ap-southeast-2" "eu-central-1" "eu-west-1" "sa-east-1" "us-east-1" "us-west-1" "us-west-2");for region in ${REGIONS[@]}; do; aws cloudformation create-stack --stack-name audit-cloudtrail --region $region --template-url https://s3-ap-northeast-1.amazonaws.com/[bucket-for-cloudformation-template]/cf-audit-cloudtrail.template --parameters ParameterKey=BucketName,ParameterValue=[bucket-for-cloudtrail],UsePreviousValue=true; done
実行結果確認方法
% REGIONS=("ap-northeast-1" "ap-southeast-1" "ap-southeast-2" "eu-central-1" "eu-west-1" "sa-east-1" "us-east-1" "us-west-1" "us-west-2");for region in ${REGIONS[@]}; do; aws cloudformation describe-stack-resources --region ${region} --stack-name audit-cloudtrail; done
以上で完了です。