Getting Started with Cross-Account CloudTrail Logging
Jun 17, 2024Introduction
Cross-account CloudTrail logging is an effective way to centralize and secure your AWS account logs by storing them in a separate AWS account. This ensures that the logs are isolated from the source account, enhancing security and manageability. In this post, we'll cover two approaches to set up cross-account CloudTrail logging: using AWS Organizations and without using AWS Organizations.
What You Need
To get started, you need two AWS accounts:
- Log Account: Where logs will be stored.
- Logger Account: Where logs will be sent from.
Approach 1: Using AWS Organizations
AWS Organizations allows you to manage multiple AWS accounts centrally. By enabling CloudTrail across accounts, you can simplify the setup process.
Steps:
- Enable AWS Organizations: Ensure your accounts are part of an AWS Organization.
- Create a Trail in the Management Account:
- Navigate to CloudTrail in the AWS Management Console.
- Create a new trail and select "Enable for all accounts in my organization."
- Check Trails in Member Accounts: AWS automatically creates a trail in all member accounts. There’s no need to modify the bucket policy.
Benefits:
- Simplifies setup by automatically creating trails in member accounts.
- Centralizes log management.
- No need to manually update bucket policies.
Considerations:
- Additional charges may apply if member accounts already have trails (only the first trail within a region is free).
Approach 2: Without Using AWS Organizations
This approach involves manually setting up cross-account logging without the automation provided by AWS Organizations.
Steps:
-
Configure the Log Account:
- Create a CloudTrail trail.
- Set up an S3 bucket to store the logs.
-
Modify the Bucket Policy:
- Update the S3 bucket policy to allow the CloudTrail service and specific IAM roles from both accounts to write logs.
Example bucket policy snippet:
-
Configure the Logger Account:
- Create a CloudTrail trail.
- Specify the S3 bucket from the log account as the storage location.
- Verify the Logs:
- Log in to the log account.
- Check that the logs from the logger account are being correctly stored in the specified S3 bucket.
Benefits:
- Full control over the setup process.
- Enhanced security by isolating logs in a different account.
Considerations:
- Requires manual configuration and policy updates.
- Slightly more complex setup compared to using AWS Organizations.
Conclusion
Cross-account CloudTrail logging is a powerful way to enhance the security and manageability of your AWS logs. Whether you choose to use AWS Organizations for a simplified setup or manually configure the logging, both approaches offer robust solutions for centralizing your log storage. By following these steps, you can ensure your logs are secure and easily accessible for auditing and monitoring purposes.
Stay connected with news and updates!
Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.
We hate SPAM. We will never sell your information, for any reason.