aws-deployment-framework icon indicating copy to clipboard operation
aws-deployment-framework copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Move CloudTrail Creation into Custom Resource

Open bundyfx opened this issue 5 years ago • 4 comments

When setting up ADF the CloudTrail creation process should be automated via a custom resource that checks for an existing cross region trail and if it exists continue, else create it. There should be no need to manually create a trail for the moveAccount event to trigger the ADF bootstrap step function.

bundyfx avatar Jun 11 '19 09:06 bundyfx

This also opens up the chicken egg question here in that we want to send those CloudTrail logs to a logging account (ideally) and that we should actually either create the logging account as a first step in the complete ADF setup and have that bootstrap first or retro actively update the CloudTrail that is created in the master account initially to point to the logging account after the logging account and logging bucket has been created and bootstrapped with its Bucket/ES cluster etc.

bundyfx avatar Jun 12 '19 15:06 bundyfx

I think it is a good idea to be prescriptive about creating a logging account and the bucket, however it's important that the bucket can then be either changed or customized after the fact. For example there may be a need to change encryption keys, or modify lifecycle policies.

Of course there should also be an option to provide an existing S3 bucket.

In both cases, the bucket URI could be stored as an SSM param in the deployment account so that other services deployed down the track such as Config can leverage the existing bucket, if desired.

I would expect a logging bucket to have at least:

  • Encryption with a KMS key
  • Lifecycle policy
  • Object Lock enabled
  • Public Access Block enabled

thomasmcgannon avatar Jun 14 '19 14:06 thomasmcgannon

Managing CloudTrail outside of adf might be the preferred option for most users.

  • If they're using Control Tower or Landing Zone it will already manage it for them
  • Tying CloudTrail to a deployment tool might lead to deleting the Trail if they decide to stop using this framework. By that time changes are that they are using those logs for other things too.
  • the ADF will create the trail in the us-east-1 region. Compliance requirements might make that not an option for everyone.

Creating it with the adf is still a better getting started experience, but in my opinion the docs should recommend managing it separately.

benbridts avatar Jul 31 '19 11:07 benbridts

I would have thought that the AWS Organisation was where CloudTrail should be managed from now on. Not Control Tower, Not Landing Zone, Not ADF. It is baked into the Org now as a feature now. https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-ct.html

17paud-irdnz avatar Dec 05 '19 02:12 17paud-irdnz

It is, AWS Organizations and setting up a Organization Trail is the way to go. Closing this issue as this is out of scope for ADF.

sbkok avatar May 17 '24 19:05 sbkok