AWS Centralise CloudTrail Logs of Multiple Accounts, Multiple Regions | Governance & Compliance

By: Rajat Malik Published: 7:23 pm
  • When you have multiple AWS accounts, from a security perspective, its good to have all the logs directed to a central account.
  • In the central account, create a bucket to hold the logs.
  • Ensure a bucket policy is in place to provide access to all other accounts the ability to add objects to the central S3 bucket
  • This is the procedure of using Central CloudTrail S3 Bucket for Multiple AWS Accounts

Step 1) Let’s assume that your central account is called Centralised Account for logs.

First create a bucket that will hold all of the CloudTrail log files.
Click on AWS Services -> select -> S3

Step 2) Go to the bucket and add a bucket policy

Open Your Bucket -> Click on Permissions -> Edit Bucket Policy -> Copy and paste the below code and update BucketName and Account ID.

{
    “Version”: “2012-10-17”,
    “Statement”: [
        {
            “Sid”: “AWSCloudTrailAclCheck20150319”,
            “Effect”: “Allow”,
            “Principal”: {
                “Service”: “cloudtrail.amazonaws.com”
            },
            “Action”: “s3:GetBucketAcl”,
            “Resource”: “arn:aws:s3:::BucketName
        },
        {
            “Sid”: “AWSCloudTrailWrite20150319”,
            “Effect”: “Allow”,
            “Principal”: {
                “Service”: “cloudtrail.amazonaws.com”
            },
            “Action”: “s3:PutObject”,
            “Resource”: [
                “arn:aws:s3:::BucketName/DemoAccount1/AWSLogs/FirstAccountId/*”,
                “arn:aws:s3:::BucketName/DemoAccount2/AWSLogs/SecondAccountId/*”
            ],
            “Condition”: {
                “StringEquals”: {
                    “s3:x-amz-acl”: “bucket-owner-full-control”
                }
            }
        }
    ]
}

About Bucket Policy:

1. Allowing CloudTrail to have the permission to get the bucket ACL.
2. Add the account ID to have the permission to add objects to the centralised bucket.
3. You have to create these folder DemoAccount2 and AWSLogs  in your bucket because we have provided access to particular folder only.

Step 3) Now log into the other First/Second Account.

Modify the Cloudtrail log storage location by:

  • Select Use existing S3 bucket
  • Select Trail log bucket name

Now go to the Centralised security bucket, you will see the log files of the other account

By using above tutorial we have centralized CloudTrail logs of Multiple Accounts.

Please Drop Comment if you faced any issue at any point, I will try to help asap
0Dislike
100% LikesVS
0% Dislikes

2 Comments

  • escort bayan

    I think other web site proprietors should take this site as an model, very clean and excellent user friendly style and design, let alone the content. You are an expert in this topic! Caryl Cullan Vashtee

  • Alphonse

    This information is worth everyone’s attention. Where can I find
    out more?

Comments are closed.