#1. 概要
- CloudFormation で CloudTrail を設定する。
- 作成するリソース
- S3 Bucket + Bucket Policy
- IAM Role + Inline Policy
- CloudWatch Logs LogGroup
- CloudTrail
- 参考
https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/EnableAWSCloudtrail.yml
#2. 各リソースメモ
- S3 Bucket + Bucket Policy
- バッケット名:cloudtrail-AWSアカウントID
- 参考
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
https://docs.aws.amazon.com/ja_jp/config/latest/developerguide/s3-bucket-policy.html - IAM Role + Inline Policy
- ロール名:cloudtrail
- インラインポリシー名:cloudtrail
- 参考
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html
https://docs.aws.amazon.com/ja_jp/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html - CloudWatch Logs LogGroup
- ロググループ名:CloudTrail
- 保持日数:7
- 参考
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html - CloudTrail
- 証跡名:AWSアカウントID
- 証跡情報を全てのリージョンに適用:はい
- 参考
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html
#3. JSONテンプレート
CloudTrail.json
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "CloudTrail",
"Resources" : {
"S3Bucket" : {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketName" : { "Fn::Join" : [ "", [ "cloudtrail-", { "Ref" : "AWS::AccountId" } ] ] }
}
},
"S3BucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"Bucket" : { "Ref" : "S3Bucket"},
"PolicyDocument" : {
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AWSCloudTrailAclCheck20150319",
"Effect" : "Allow",
"Principal" : { "Service" : "cloudtrail.amazonaws.com"},
"Action" : "s3:GetBucketAcl",
"Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::cloudtrail-", { "Ref" : "AWS::AccountId" } ] ] }
},
{
"Sid" : "AWSCloudTrailWrite20150319",
"Effect" : "Allow",
"Principal" : { "Service" : "cloudtrail.amazonaws.com" },
"Action" : "s3:PutObject",
"Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::cloudtrail-", { "Ref" : "AWS::AccountId" }, "/AWSLogs/", { "Ref" : "AWS::AccountId" }, "/*" ] ] },
"Condition" : { "StringEquals" : { "s3:x-amz-acl" : "bucket-owner-full-control" } }
}
]
}
}
},
"IAMRole" : {
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : {
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "",
"Effect" : "Allow",
"Principal" : {
"Service" : "cloudtrail.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
},
"Path" : "/",
"Policies" : [
{
"PolicyName" : "cloudtrail",
"PolicyDocument" : {
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "AWSCloudTrailCreateLogStream20141101",
"Effect" : "Allow",
"Action" : [ "logs:CreateLogStream" ],
"Resource" : { "Fn::Join" : [ "", [ "arn:aws:logs:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":log-group:CloudTrail:log-stream:", { "Ref" : "AWS::AccountId" }, "_CloudTrail_", { "Ref" : "AWS::Region" }, "*" ] ] }
},
{
"Sid" : "AWSCloudTrailPutLogEvents20141101",
"Effect" : "Allow",
"Action" : [ "logs:PutLogEvents" ],
"Resource" : { "Fn::Join" : [ "", [ "arn:aws:logs:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":log-group:CloudTrail:log-stream:", { "Ref" : "AWS::AccountId" }, "_CloudTrail_", { "Ref" : "AWS::Region" }, "*" ] ] }
}
]
}
}
],
"RoleName": "cloudtrail"
}
},
"LogsLogGroup": {
"Type" : "AWS::Logs::LogGroup",
"Properties" : {
"LogGroupName" : "CloudTrail",
"RetentionInDays" : 7
}
},
"CloudTrailTrail" : {
"DependsOn" : "S3BucketPolicy",
"Type" : "AWS::CloudTrail::Trail",
"Properties" : {
"CloudWatchLogsLogGroupArn" : { "Fn::GetAtt" : [ "LogsLogGroup", "Arn" ] },
"CloudWatchLogsRoleArn" : { "Fn::GetAtt": [ "IAMRole", "Arn" ] },
"IncludeGlobalServiceEvents" : true,
"IsLogging" : true,
"IsMultiRegionTrail" : true,
"S3BucketName" : { "Fn::Join": [ "", [ "cloudtrail-", { "Ref" : "AWS::AccountId" } ] ] },
"TrailName" : { "Ref": "AWS::AccountId" }
}
}
},
"Outputs" : {
"S3Bucket" : {
"Description" : "S3 Bucket Name",
"Value" : { "Ref" : S3Bucket }
},
"IAMRole" : {
"Description" : "IAM Role Name",
"Value" : { "Ref" : IAMRole }
},
"LogsLogGroup" : {
"Description" : "Log Group Name",
"Value" : { "Ref" : LogsLogGroup }
},
"CloudTrailTrail" : {
"Description" : "Trail Name",
"Value" : { "Ref" : CloudTrailTrail }
}
}
}