Skip to main content

AWS CloudTrail

AWS CloudTrail logs all AWS API activity within your AWS Organization. It provides an audit trail for all user activity within the AWS Console, AWS SDKs, and AWS CLI. Stax automatically configures and centralizes all Management events across your AWS Organization.

As part of Stax Assurance an AWS CloudTrail Trail named stax-assurance-cloudtrail is created in your AWS Organization's management account. This Trail is configured to apply to all AWS accounts in your AWS Organization. Additionally all Management events are writen to a CloudWatch Log Group named cloudtrail within the management account.

Within your Organization's logging foundation account Stax creates a number of resources. The S3 bucket stax-cloudtrail-<org-uuid> is the central store of all CloudTrail Management events. There is an additional SNS topic named cloudtrail-<org-uuid> which triggers a notification each time a new file is written to the S3 bucket.

Stax only creates and manages the stax-assurance-cloudtrail Trail, which only captures Management events.

Capturing CloudTrail Data events

There are a number of useful CloudTrail Data events that you may want to capture. By default, Stax does not capture these, as they are extremely configurable and can attract significant additional cost at scale. Fortunately the same resources that were created to support the stax-assurance-cloudtrail Trail can be utilized for additional CloudTrail Trails that capture Data events.

To capture these additional events using Stax's managed infrastructure, perform the following steps:

  1. Log in to the AWS Console of your Management AWS Account with an Admin role using the Stax Console
  2. Search for the CloudTrail service and select the existing stax-assurance-cloudtrail
  3. Note the existing Trail log bucket name and Customer managed AWS KMS key values
  4. Return to the CloudTrail landing page and select Create trail
  5. Enter a Trail name, optionally select Enable for all accounts in my organization
  6. For Storage location select Use existing S3 bucket and input the value from Step 3, it should look like stax-cloudtrail-<org-uuid>
  7. Enter a Prefix to differentiate this Trail from the Management events
  8. For Customer managed AWS KMS key select Existing and input the value from Step 3, it should look like arn:aws:kms:{ControlPlaneRegion}:{LoggingAwsAccountId}:key/{UUID}
  9. Ensure Log file SSE-KMS encryption is enabled, optionally configure CloudWatch Logs if required
  10. For events ensure you uncheck Management events. The first Management events trail configured by stax-assurance-cloudtrail is free, however all others attract additional, in many cases significant, costs
  11. Select your Data events
  12. Click Create trail. If you receive a warning about We can not fetch current bucket access policy for bucket, this is expected, as the AWS Service itself is permitted to perform these actions, not your user role
  13. Confirm that your Data events are being logged to the CloudTrail S3 Bucket in the logging AWS Account