How To Create CloudTrail In AWS Organization
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed how to create regional and global CloudTrail in AWS.
https://cloudaffaire.com/how-to-create-a-new-trail-in-aws-cloudtrail/
In today’s blog post, we will discuss how to create CloudTrail in AWS Organization. If you have created an organization in AWS Organizations, you can also create a trail that will log all events for all AWS accounts in that organization. This is referred to as an organization trail. Organization trails can apply to all AWS Regions or one Region.
How To Create CloudTrail In AWS Organization:
Prerequisites:
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
- AWS Organization with multiple member accounts. You can use below link to create your 1st AWS Organization.
https://cloudaffaire.com/how-to-manage-aws-organization-using-api/
Step 1: Check if CloudTrail is enabled as a trusted service in your organization
|
1 2 3 |
## Get all the trusted services currently enabled in your organization aws organizations list-aws-service-access-for-organization \ --profile management |
Step 2: Enable CloudTrail as a trusted service in your AWS organization (If not enabled already)
|
1 2 3 4 5 6 7 8 9 |
## If CloudTrail is not enabled already ## Enable a trusted service (CloudTrail) aws organizations enable-aws-service-access \ --service-principal cloudtrail.amazonaws.com \ --profile management ## Get all the trusted services currently enabled in your organization aws organizations list-aws-service-access-for-organization \ --profile management |
Step 3: Create a S3 bucket in your organization management account with the required bucket policy.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
## Create a S3 bucket to store CloudTrail Logs (in organization account) aws s3api create-bucket \ --bucket s3-for-org-cloudtrail-logs \ --region ap-south-1 \ --create-bucket-configuration LocationConstraint=ap-south-1 \ --profile management ## Create a bucket policy definition file cat <<'EOF'> bucket_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck20150319", "Effect": "Allow", "Principal": {"Service": "cloudtrail.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::s3-for-org-cloudtrail-logs" }, { "Sid": "AWSCloudTrailWrite20150319", "Effect": "Allow", "Principal": {"Service": "cloudtrail.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::s3-for-org-cloudtrail-logs/*", "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}} } ] } EOF ## Create a S3 bucket policy for CloudTrail aws s3api put-bucket-policy \ --bucket s3-for-org-cloudtrail-logs \ --policy file://bucket_policy.json \ --profile management |
Step 4: Create an Organizational CloudTrail Using AWS CLI
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
## Create a new organization trail aws cloudtrail create-trail \ --name OrgTrail \ --s3-bucket-name s3-for-org-cloudtrail-logs \ --include-global-service-events \ --is-multi-region-trail \ --enable-log-file-validation \ --is-organization-trail \ --profile management \ --region ap-south-1 ## Get Trail details aws cloudtrail describe-trails \ --profile management \ --region ap-south-1 ## Get Trail status aws cloudtrail get-trail-status \ --name OrgTrail \ --profile management \ --region ap-south-1 |
Observe, though we have created the CloudTrail in organization level logging is not yet started. Next, we will enable logging for your CloudTrail.
Step 5: Enable logging for your organizational CloudTrail.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
## Start logging for the trail aws cloudtrail start-logging \ --name OrgTrail \ --profile management \ --region ap-south-1 ## Get Trail status aws cloudtrail get-trail-status \ --name OrgTrail \ --profile management \ --region ap-south-1 ## Get dir structure for your organization CloudTrail logs aws s3api list-objects \ --bucket s3-for-org-cloudtrail-logs \ --prefix "AWSLogs/" \ --profile management \ --region ap-south-1 |
Observe, if you enable CloudTrail in organization level, CloudTrail creates below bucket prefix to store your logs –
<your_s3_bucket>/AWSLogs/<your_organization_id>/<management|member_account_id>/
Step 6: View your organizational CloudTrail logs
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
## Get your Organization and Members account id and Org ID ORGANIZATION_ACCOUNT_ID=$(aws sts get-caller-identity --profile management | jq -r .Account) MEMBER1_ACCOUNT_ID=$(aws sts get-caller-identity --profile member1 | jq -r .Account) MEMBER2_ACCOUNT_ID=$(aws sts get-caller-identity --profile member2 | jq -r .Account) ORG_ID=$(aws organizations describe-organization --profile management | jq -r .Organization.Id) echo $ORGANIZATION_ACCOUNT_ID $MEMBER1_ACCOUNT_ID $MEMBER2_ACCOUNT_ID $ORG_ID ## Get CloudTrail Logs for Management Account aws s3api list-objects \ --bucket s3-for-org-cloudtrail-logs \ --prefix "AWSLogs/$ORG_ID/$ORGANIZATION_ACCOUNT_ID/" \ --profile management \ --region ap-south-1 ## Get CloudTrail Logs for Member1 Account aws s3api list-objects \ --bucket s3-for-org-cloudtrail-logs \ --prefix "AWSLogs/$ORG_ID/$MEMBER1_ACCOUNT_ID/" \ --profile management \ --region ap-south-1 ## Get CloudTrail Logs for Member2 Account aws s3api list-objects \ --bucket s3-for-org-cloudtrail-logs \ --prefix "AWSLogs/$ORG_ID/$MEMBER2_ACCOUNT_ID/" \ --profile management \ --region ap-south-1 ## CloudTrail typically delivers logs within an average of about 15 ## minutes of an API call. This time is not guaranteed. |
We have successfully created trail in our organization and enabled CloudTrail logging for all the members accounts in our organization. Next, we will delete all the resources created in this blog.
Step 7: Clean-up
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
## Stop logging for your Trail aws cloudtrail stop-logging \ --name OrgTrail \ --profile management \ --region ap-south-1 ## Get Trail status aws cloudtrail get-trail-status \ --name OrgTrail \ --profile management \ --region ap-south-1 ## Delete the Trail aws cloudtrail delete-trail \ --name OrgTrail \ --profile management \ --region ap-south-1 ## Disable a trusted service (CloudTrail) aws organizations disable-aws-service-access \ --service-principal cloudtrail.amazonaws.com \ --profile management ## Delete the S3 bucket with objects (CloudTrail Logs) aws s3 rb \ s3://s3-for-org-cloudtrail-logs --force \ --profile management |
Hope you have enjoyed this article. To know more about AWS CloudTrail, please refer below official documentation