Configure CloudTrail logging to CloudWatch Logs and S3. When used with CloudTrail Bucket module, this properly configures CloudTrail logging with a KMS CMK as required by CIS.
Logs can easily be centralized to a central security logging account by creating a bucket in a single account and referencing the bucket and KMS key.
module "cloudtrail-logging" {
source = "git::https://github.com/rhythmictech/terraform-cloudtrail-logging"
region = var.region
cloudtrail_bucket = module.cloudtrail-bucket.bucket_name
kms_key_id = module.cloudtrail-bucket.kms_key_id
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
cloudtrail_bucket | Name of bucket for CloudTrail logs | string | n/a | yes |
cloudtrail_name | Name for the CloudTrail | string | "cloudtrail-all" |
no |
kms_key_id | KMS key ARN to use for encrypting CloudTrail logs | string | n/a | yes |
log_group_name | Name for CloudTrail log group | string | "cloudtrail2cwl" |
no |
region | Region that CloudWatch logging and the S3 bucket will live in | string | n/a | yes |
retention_in_days | How long should CloudTrail logs be retained in CloudWatch (does not affect S3 storage). Set to -1 for indefinite storage. | number | "7" |
no |
Name | Description |
---|---|
cloudwatch_loggroup_arn | The arn of the CloudWatch log group |
cloudwatch_loggroup_name | The name of the CloudWatch log group |