🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Working With Multiple CloudTrail Accounts

integrations cloud cloudtrail aws amazon


The following gives example methods for setting permissions for multi-account AWS CloudTrail log collection.

Updating S3 Bucket Policy

The AWS CloudTrail collection s3 bucket policy should be updated similar to the following example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSCloudTrailAclCheck20131101",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::myBucketName"
    },
    {
      "Sid": "AWSCloudTrailWrite20131101",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::myBucketName/[optional] myLogFilePrefix/AWSLogs/111111111111/*",
        "arn:aws:s3:::myBucketName/[optional] myLogFilePrefix/AWSLogs/222222222222/*"
      ],
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}

Adding kmsDecrypt permission To Lambda For Encrypted Logs

For encrypted Logs in multiple accounts, logs in each account are encrypted using a Customer Managed Key. So for each of those keys we grant permission to the Lambda execution role:

"Sid": "Grant CloudTrail log decrypt permissions",
"Effect": "Allow",
"Principal": {
  "AWS": [
    "arn:aws:iam::<account number where RedCloak lambda is deployed>:role/<redcloak-cloudtrail-LambdaIamRole as generated by Cloudformation>"
  ]
}

On the Lambda role itself, we also need to add the kms:Decrypt permission for each of the source account keys:

{
  "Version": "2012-10-17",
  "Statement": [
    {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt",
      ],
    "Resource": [
      "arn:aws:kms:eu-west-1:<source account 1>:key/<customer managed key id>",
      "arn:aws:kms:eu-west-1:<source account 2>:key/<customer managed key id>"
      ]
    }
  ]
}

Note that the following snippet should be removed from the CloudTrail s3 bucket policy (use the sample policy in the prior method as a reference).

"Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
}

 

On this page: