AWS
Cloudtrail

全リージョンのCloudTrailロギングを有効にするワンライナー

More than 3 years have passed since last update.

準備

  1. AWS CLIが使えるようにしておく
  2. 使用するbucketにあらかじめポリシーを設定しておく→ドキュメント
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20131101",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::903692715234:root",
                    "arn:aws:iam::859597730677:root",
                    "arn:aws:iam::814480443879:root",
                    "arn:aws:iam::216624486486:root",
                    "arn:aws:iam::086441151436:root",
                    "arn:aws:iam::388731089494:root",
                    "arn:aws:iam::284668455005:root",
                    "arn:aws:iam::113285607260:root"
                ]
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::j3tm0t0-audit"
        },
        {
            "Sid": "AWSCloudTrailWrite20131101",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::903692715234:root",
                    "arn:aws:iam::859597730677:root",
                    "arn:aws:iam::814480443879:root",
                    "arn:aws:iam::216624486486:root",
                    "arn:aws:iam::086441151436:root",
                    "arn:aws:iam::388731089494:root",
                    "arn:aws:iam::284668455005:root",
                    "arn:aws:iam::113285607260:root"
                ]
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::j3tm0t0-audit/AWSLogs/*/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

実行

% for x in `aws ec2 describe-regions --output text --query 'Regions[*].RegionName'` ; do aws cloudtrail create-trail --name Default --s3-bucket-name j3tm0t0-audit --include-global-service-events --region $x ; aws cloudtrail start-logging --name Default --region $x ; done
{
    "IncludeGlobalServiceEvents": true,
    "Name": "Default",
    "S3BucketName": "j3tm0t0-audit"
}
{
    "IncludeGlobalServiceEvents": true,
    "Name": "Default",
    "S3BucketName": "j3tm0t0-audit"
}
{
    "IncludeGlobalServiceEvents": true,
    "Name": "Default",
    "S3BucketName": "j3tm0t0-audit"
}
{
    "IncludeGlobalServiceEvents": true,
    "Name": "Default",
    "S3BucketName": "j3tm0t0-audit"
}
{
    "IncludeGlobalServiceEvents": true,
    "Name": "Default",
    "S3BucketName": "j3tm0t0-audit"
}
{
    "IncludeGlobalServiceEvents": true,
    "Name": "Default",
    "S3BucketName": "j3tm0t0-audit"
}
{
    "IncludeGlobalServiceEvents": true,
    "Name": "Default",
    "S3BucketName": "j3tm0t0-audit"
}
{
    "IncludeGlobalServiceEvents": true,
    "Name": "Default",
    "S3BucketName": "j3tm0t0-audit"
}

追記

start-loggingするのを忘れてました...