English 日本語
INTERSTELLAR TECH BLOG

How to aggregate CloudTrail logs from multiple accounts into an auditing account without Organization

Hi, I’m Agata.

Sorry for the long title.
This time I’d like to talk about AWS CloudTrail.

CloudTrail is an auditing mechanism in AWS that is designed to record activities on AWS. If you have multiple accounts, it is recommended as a best practice to create an audit account and aggregate CloudTrail logs into that account.
Under normal circumstances, it is very easy to set up CloudTrail by setting up an Organization, placing multiple accounts under the Organization, and setting up CloudTrail from the Organization’s administrative account.

However, I will try to set it up without depending on Organization.
Therefore, the target users are only those who have multiple AWS accounts but are not managing them by Organization (for some reason, this is not possible).

The specific settings are based on the following AWS help.

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html

However, the documentation for each task was scattered and tedious to read, and some of the content was outdated, so I summarized it below.

0. Prerequisite

As in the AWS help above, we will assume that you have the following AWS accounts. (The help shows four accounts, but except for the audit account, the rest are the same and redundant, so I’ll just use the following two)

  • 111111111111 : Audit account to aggregate CloudTrail logs
  • 222222222222 : Account to output CloudTrail logs

1. Creating a trail

Enable CloudTrail on the AWS account for auditing and create a trail.
You can use existing S3 buckets, KMS keys, etc., but we will create all new ones.

  1. Open “CloudTrail” in the Management Console.
  2. Select “Trails” from the menu on the left, and click the “Create Trail” button.
  3. In the “Choose trail attibutes”, configure the following settings. (Other than these, the default settings are fine.)
    • Trail name : Any
    • Storage location : Select Create new S3 bucket
    • Trail log bucket and folder : Any
    • Customer managed AWS KMS key : Select New
    • AWS KMS alias : Any
  4. Click Next
  5. Leave “Choose log events” as default and click Next
  6. After reviewing the contents in “Review and create”, click “Create trail” to create the trail.

2. Configure S3 bucket policy

Set up the S3 bucket of the AWS account for auditing so that it can receive log files from multiple accounts.

  1. Open “S3” in the Management Console.
  2. From the list of Buckets, click on the S3 bucket you created in step 1.
  3. Click “Permissions” from the tab at the top
  4. Click on “Edit” in the “Bucket policy”, and edit the JSON according to your account ID and the settings you made in the red text below.
    • If you created an S3 bucket on the CloudTrail creation screen, the contents of “Sid”: “AWSCloudTrailWrite…” will be automatically set.
    • Copy this and add the settings for 222222222222.
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AWSCloudTrailAclCheck20150319",
			"Effect": "Allow",
			"Principal": {
				"Service": "cloudtrail.amazonaws.com"
			},
			"Action": "s3:GetBucketAcl",
			"Resource": "arn:aws:s3:::myBucketName"
		},
		{
			"Sid": "AWSCloudTrailWrite-111111111111",
			"Effect": "Allow",
			"Principal": {
				"Service": "cloudtrail.amazonaws.com"
			},
			"Action": "s3:PutObject",
			"Resource": "arn:aws:s3:::myBucketName/optionalLogFilePrefix/AWSLogs/111111111111/*",
			"Condition": {
				"StringEquals": {
					"s3:x-amz-acl": "bucket-owner-full-control",
					"AWS:SourceArn": "arn:aws:cloudtrail:region:111111111111:trail/trailName"
				}
			}
		},
		{
			"Sid": "AWSCloudTrailWrite-interstellar-test",
			"Effect": "Allow",
			"Principal": {
				"Service": "cloudtrail.amazonaws.com"
			},
			"Action": "s3:PutObject",
			"Resource": "arn:aws:s3:::myBucketName/optionalLogFilePrefix/AWSLogs/222222222222/*",
			"Condition": {
				"StringEquals": {
					"s3:x-amz-acl": "bucket-owner-full-control",
					"AWS:SourceArn": "arn:aws:cloudtrail:region:222222222222:trail/trailName"
				}
			}
		}
	]
}

Configure KMS key policy

Edit the key policy of the KMS key you created so that it can be accessed by other accounts.

  1. Open the “Key Management Service” in nt Cosole.
  2. Click the KMS key you created from the list of KMS keys.
  3. Click on “Edit” in the “Key policy” and edit the JSON as shown below.
{
    "Version": "2012-10-17",
    "Id": "Key policy created by CloudTrail",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111111111111:root"
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow CloudTrail to encrypt logs",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:GenerateDataKey*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": [
                        "arn:aws:cloudtrail:region:111111111111:trail/trailName",
                        "arn:aws:cloudtrail:region:222222222222:trail/trailName"
                    ]
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": [
                        "arn:aws:cloudtrail:*:111111111111:trail/*",
                        "arn:aws:cloudtrail:*:222222222222:trail/*"
                    ]
                }
            }
        },
        {
            "Sid": "Allow CloudTrail to describe key",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:DescribeKey",
            "Resource": "*"
        },
        {
            "Sid": "Allow principals in the account to decrypt log files",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Decrypt",
                "kms:ReEncryptFrom"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "111111111111"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111111111111:trail/*"
                }
            }
        },
        {
            "Sid": "Allow alias creation during setup",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "kms:CreateAlias",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "111111111111",
                    "kms:ViaService": "ec2.ap-northeast-1.amazonaws.com"
                }
            }
        },
        {
            "Sid": "Enable cross account log decryption",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Decrypt",
                "kms:ReEncryptFrom"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "111111111111"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:111111111111:trail/*"
                }
            }
        }
    ]
}

Enable CloudTrail for additional accounts

Create a trail as in 1, but configure it as follows.

  • For “Storage location”, select Use existing S3 bucket.
  • For “Trail log bucket name”, specify the S3 bucket name you created in step 1.
  • For “Customer managed AWS KMS key”, select existing.
  • For “AWS KMS alias”, enter the key ARN, alias ARN, or key ID of the KMS key created in step 1.

This completes the configuration.

After a while, the CloudTrail logs will start to be recorded in the S3 bucket you created.
If it does not log properly, check the S3 bucket’s policy.