Create and manage a bucket suitable for encrypted CloudTrail logging. Supports inbound logging from multiple accounts through the allowed_account_ids var.
To create a bucket in this account that can be logged to from acct 12345678 and the current account
module "s3logging-bucket" {
source = "rhythmictech/s3logging-bucket/aws"
version = "v4.0.1"
}
# in acct 23456789
module "cloudtrail-bucket" {
source = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket"
allowed_account_ids = [12345678, 123456781, 123456782, 123456783]
logging_bucket = module.s3logging-bucket.s3logging_bucket_name
region = var.region
}
module "cloudtrail-logging" {
source = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-logging"
cloudtrail_bucket = module.cloudtrail-bucket.s3_bucket_name
kms_key_id = module.cloudtrail-bucket.kms_key_id
region = var.region
}
Then in acct 12345678 and the other child accounts you can log back to the bucket like this
# in acct 12345678
module "cloudtrail-logging" {
source = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-logging"
cloudtrail_bucket = "23456789-us-east-1-cloudtrail"
kms_key_id = "arn:aws:kms:us-east-1:23456789:key/a53f476a-e691-4d19-9003-202e6fb9c5b4"
region = var.region
}
In this diagram Central Account is 12345678 from the example and Account A is 12345678. Accounts B, C, and D would be other child accounts (123456781, 123456782, 123456783)
graph TD
subgraph Central Account
S3((S3 Bucket))
end
subgraph Account A
A[CloudTrail] --> S3
end
subgraph Account B
B[CloudTrail] --> S3
end
subgraph Account C
C[CloudTrail] --> S3
end
subgraph Account D
D[CloudTrail] --> S3
end
| Name | Version |
|---|---|
| terraform | >= 1.3 |
| aws | >= 5 |
| Name | Version |
|---|---|
| aws | 4.48.0 |
No modules.
| Name | Type |
|---|---|
| aws_kms_alias.this | resource |
| aws_kms_key.this | resource |
| aws_s3_bucket.this | resource |
| aws_s3_bucket_lifecycle_configuration.this | resource |
| aws_s3_bucket_logging.this | resource |
| aws_s3_bucket_policy.this | resource |
| aws_s3_bucket_public_access_block.this | resource |
| aws_s3_bucket_server_side_encryption_configuration.this | resource |
| aws_s3_bucket_versioning.this | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.key | data source |
| aws_iam_policy_document.key_empty | data source |
| aws_iam_policy_document.key_merged_policy | data source |
| aws_iam_policy_document.key_roles | data source |
| aws_iam_policy_document.this | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allowed_account_ids | Optional list of AWS Account IDs that are permitted to write to the bucket | list(string) |
[] |
no |
| bucket_name | Name of the S3 bucket to create. Defaults to {account_id}-{region}-cloudtrail. | string |
null |
no |
| lifecycle_rules | lifecycle rules to apply to the bucket | list(object( |
[ |
no |
| logging_bucket | S3 bucket with suitable access for logging requests to the cloudtrail bucket | string |
n/a | yes |
| region | Region to create KMS key in | string |
n/a | yes |
| roles_allowed_kms_decrypt | Optional list of roles that have access to KMS decrypt and are permitted to decrypt logs | list(string) |
[] |
no |
| tags | Mapping of any extra tags you want added to resources | map(string) |
{} |
no |
| versioning_enabled | Whether or not to use versioning on the bucket. This can be useful for audit purposes since objects in a logging bucket should not be updated. | bool |
true |
no |
| Name | Description |
|---|---|
| kms_key_id | KMS key used by cloudtrail |
| s3_bucket_arn | The ARN of the bucket |
| s3_bucket_name | The name of the bucket |