“Challenges faced to find the solution of how to do centralized logging for multi accounts and multi regions using cloudtrail”. I have found the way by assigning permission on s3 and role for cloudwatch in trail. Also enable the option of multi-region trail and apply trail to my organization. Centralized logging makes monitoring very easy to access the logs of multi accounts in one place. In terms of cost and security perspective, it is a cheap service and also can be secured using KMS.
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console and AWS SDKs and APIs.
CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history. For an ongoing record of activity and events in your AWS account, create a trail. For more information about CloudTrail pricing, see AWS CloudTrail Pricing.
In this post, you will get to know how to do centralized logging for Multi Accounts and Multi Regions using cloudtrail. Here I have used two AWS accounts for having centralized logging, a s3 bucket in Master account and IAM role for cloudtrail logs to cloudwatch with required permissions.
You’ll need two AWS Accounts one as a master account and another as a sub-account. You’ll need the AWS Organization to invite another sub-account to join the organization.
You’ll need an Amazon Simple Storage Service for this post. Getting started with Amazon Simple Storage Service provides instructions on how to create a bucket in simple storage service. For this blog, I assume that I have created a s3 bucket and have two accounts in organization.
The blog post consists of the following phases:
- Create Trail in CloudTrail Console with required parameters. Also Set of permission on S3 bucket and Set IAM role with policy on Cloudwatch Logs for Trail
- Output logs in S3 bucket for master account and sub-account and also log streams of CloudTrail in Cloudwatch Log Groups
Phase 1: Create Trail in CloudTrail Console with required parameters. Also Set of permission on S3 bucket and Set IAM role with policy on Cloudwatch Logs for Trail
- Open the CloudTrail console, create a trail named as trail-logs. Change the trail log location, choosing the existing s3 bucket. Enable the log file validation and kms encryption as per requirement.
- Checkout the folder created in the bucket after choosing the log location named AWSLogs. And be able to see the folder inside it named with the master account number. In the permission tab of the bucket, add the permission policy of the sub-account.
- Create a role named CloudTrail-logs-Cloudwatch with permission required to have logs in cloudwatch log group for cloudtrail. And enable the cloudwatch logs in the cloudtrail console of the new trail created. Also enabled to use the same trail of organization for all sub-accounts.
Phase 2: Output logs in S3 bucket for master account and sub-account and also log streams of CloudTrail in Cloudwatch Log Groups
Delete AWS CloudTrail, IAM, S3 bucket, Cloudwatch Log Groups.
I review the pricing and estimated cost of this example.
Cost of CloudTrail →
$0.000001 per data event recorded for AWS CloudTrail APS3-DataEventsRecorded = 5.000 Events = $0.000005
$0.0 per free event recorded for AWS CloudTrail APS3-FreeEventsRecorded = 622.000 Events = $0.0
Total = ($0.000005+$0.0) = $0.000005
Cost of Cloudwatch = $0.0
Cost of Data Transfer = $0.0
Cost of Simple Storage Service = $0.04
Total Cost = $(0.000005+0.0+0.0+0.04) = $0.040005
In this post, I showed “how to do centralized logging for Multi Accounts and Multi Regions using cloudtrail”.
For more details on AWS CloudTrail, Checkout Get started AWS CloudTrail, open the AWS CloudTrail console. To learn more, read the AWS CloudTrail documentation.
Thanks for reading!
Connect with me: Linkedin