Working With Multiple CloudTrail Accounts
integrations cloud cloudtrail aws amazon
The following gives example methods for setting permissions for multi-account AWS CloudTrail log collection.
Updating S3 Bucket Policy ⫘
The AWS CloudTrail collection s3 bucket policy should be updated similar to the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20131101",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::myBucketName"
},
{
"Sid": "AWSCloudTrailWrite20131101",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::myBucketName/[optional] myLogFilePrefix/AWSLogs/111111111111/*",
"arn:aws:s3:::myBucketName/[optional] myLogFilePrefix/AWSLogs/222222222222/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Adding kmsDecrypt permission To Lambda For Encrypted Logs ⫘
For encrypted Logs in multiple accounts, logs in each account are encrypted using a Customer Managed Key. So for each of those keys we grant permission to the Lambda execution role:
"Sid": "Grant CloudTrail log decrypt permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account number where RedCloak lambda is deployed>:role/<redcloak-cloudtrail-LambdaIamRole as generated by Cloudformation>"
]
}
On the Lambda role itself, we also need to add the kms:Decrypt permission for each of the source account keys:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
],
"Resource": [
"arn:aws:kms:eu-west-1:<source account 1>:key/<customer managed key id>",
"arn:aws:kms:eu-west-1:<source account 2>:key/<customer managed key id>"
]
}
]
}
Note that the following snippet should be removed from the CloudTrail s3 bucket policy (use the sample policy in the prior method as a reference).
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}