Open in app

Sign in

Write

Sign in

AWS Security using organization CloudTrail

Kubernetes Advocate
AVM Consulting Blog
Published in
5 min readJun 8, 2022

The Organization CloudTrail solution will create an Organization CloudTrail within the Organization Management Account that is encrypted with a Customer Managed KMS Key managed in the Audit Account and logs delivered to the Log Archive Account. An Organization CloudTrail logs all events for all AWS accounts in the AWS Organization.

When you create an organization trail, a trail with the name that you give it will be created in every AWS account that belongs to your organization. Users with CloudTrail permissions in member accounts will be able to see this trail when they log into the AWS CloudTrail console from their AWS accounts, or when they run AWS CLI commands such as describe-trail. However, users in member accounts will not have sufficient permissions to delete the organization trail, turn to log on or off, change what types of events are logged, or otherwise alter the organization trail in any way.

The solution default configuration deploys an Organization CloudTrail enabling only data events to avoid duplicating the existing AWS Control Tower CloudTrail, which has the management events enabled.

Deployed Resource Details

1.0 Organization Management Account

1.1 AWS CloudFormation

  • All resources are deployed via AWS CloudFormation as a StackSet and Stack Instance within the management account or a CloudFormation Stack within a specific account.
  • The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation StackSet.
  • For parameter details, review the AWS CloudFormation templates.

1.2 AWS Lambda Function

  • The Lambda Function contains logic for configuring the AWS Organization CloudTrail within the management account.

1.3 Lambda Execution IAM Role

  • The AWS Lambda Function Role allows the AWS Lambda service to assume the role and perform actions defined in the attached IAM policies.

1.4 Lambda CloudWatch Log Group

  • All the AWS Lambda Function logs are sent to a CloudWatch Log Group </aws/lambda/<LambdaFunctionName> to help with debugging and traceability of the actions performed.
  • By default the AWS Lambda Function will create the CloudWatch Log Group with a Retention (14 days) and are encrypted with a CloudWatch Logs service managed encryption key.

1.5 Organization CloudTrail

  • AWS CloudTrail for all AWS Organization accounts
  • Member accounts are automatically added and cannot modify
  • Data events can be disabled via the parameters
  • CloudWatch Logs can be disabled via the parameters

1.6 Organization CloudTrail CloudWatch Log Group Role

  • IAM role used to send CloudTrail logs to the CloudWatch log group

1.7 Organization CloudTrail CloudWatch Log Group

  • Contains the CloudTrail logs with a Retention (400 days)

2.0 Audit Account

The example solutions use Audit Account instead of Security Tooling Account to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the Audit Account SSM parameter is populated from the SecurityAccountId parameter within the AWSControlTowerBP-BASELINE-CONFIG stacks.

2.1 AWS CloudFormation

2.2 Organization CloudTrail KMS Key

  • Customer managed KMS key for the AWS Organizations CloudTrail logs and S3 server-side encryption

2.3 CloudTrail KMS Key Secret

  • AWS Secrets Manager secret containing the customer-managed KMS key ARN

3.0 Security Log Archive Account

3.1 AWS CloudFormation

  • See 1.1 AWS CloudFormation

3.2 Organization CloudTrail S3 Bucket

  • S3 bucket where the Organization CloudTrail logs are sent for all accounts in the AWS Organization

3.3 CloudTrail S3 Bucket Secret

  • AWS Secrets Manager secret containing the CloudTrail S3 bucket name

Implementation Instructions

Prerequisites

  1. Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
  2. Verify that the SRA Prerequisites Solution has been deployed.

Solution Deployment

  1. Choose a Deployment Method:
  • AWS CloudFormation
  • Customizations for AWS Control Tower
  1. To enforce object encryption within the S3 bucket using the KMS key, add the following S3 bucket policy statements to the bucket created by the solution (e.g. sea-org-trail-logs-<account_id>-<aws_region>). The sea-cloud trail-org-bucket. yaml has the statements commented out and can be updated after the creation of the CloudTrail.
{ “Sid”: “DenyUnencryptedObjectUploads”, “Effect”: “Deny”, “Principal”: “*”, “Action”: “s3:PutObject”, “Resource”: “arn:aws:s3:::sra-org-trail-logs-<account_id>-<region>/*”, “Condition”: { “StringNotEquals”: { “s3:x-amz-server-side-encryption”: “aws:kms” } } }, { “Sid”: “DenyWrongKMSKey”, “Effect”: “Deny”, “Principal”: “*”, “Action”: “s3:PutObject”, “Resource”: “arn:aws:s3:::sra-org-trail-logs-<logging_account_id>-<region>/*”, “Condition”: { “StringNotEquals”: { “s3:x-amz-server-side-encryption-aws-kms-key-id”: “<bucket_encryption_key_arn>” } } }

AWS CloudFormation

In the management account (home region), launch an AWS CloudFormation Stack using one of the options below:

  • Option 1: (Recommended) Use the sra-cloud trail-org-main-SSM.yaml template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.
aws cloudformation deploy — template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main-ssm.yaml — stack-name sra-cloudtrail-org-main-ssm — capabilities CAPABILITY_NAMED_IAM
  • Option 2: Use the sra-cloud trail-org-main. yaml template. Input is required for the CloudFormation parameters where the default is not set.
aws cloudformation deploy — template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-main.yaml — stack-name sra-cloudtrail-org-main — capabilities CAPABILITY_NAMED_IAM — parameter-overrides pAuditAccountId=<AUDIT_ACCOUNT_ID> pLogArchiveAccountId=<LOG_ARCHIVE_ACCOUNT_ID> pOrganizationId=<ORGANIZATION_ID> pSRAStagingS3BucketName=<SRA_STAGING_S3_BUCKET_NAME>

Verify Solution Deployment

  1. Log into the management account and navigate to the CloudTrail page
  2. Select Trails and select the sra-cloudtrail-org trail
  3. Verify the correct configurations have been applied

Solution Delete Instructions

  1. In the management account (home region), delete the AWS CloudFormation Stack (sra-cloudtrail-org-main-ssm or sra-cloudtrail-org-main) created above.
  2. In the management account (home region), delete the AWS CloudWatch Log Group (e.g. /aws/lambda/<solution_name>) for the Lambda function deployed.
  3. In the log archive acccount (home region), delete the S3 bucket (e.g. sra-org-trail-logs-<account_id>-<aws_region>) created by the solution.

👋 Join us today !!

️Follow us on LinkedIn, Twitter, Facebook, and Instagram

https://avmconsulting.net/

If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇

Security
AWS
Cloud
DevOps
Startup

--

--

Kubernetes Advocate
AVM Consulting Blog

Written by Kubernetes Advocate

3.9K Followers
Editor for

Vineet Sharma-Founder and CEO of Kubernetes Advocate Tech author, cloud-native architect, and startup advisor.https://in.linkedin.com/in/vineet-sharma-0164

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams