时间戳

首页 > 解决方案 > 使用 cloudformation 模板的 cloudtrail 日志

amazon-cloudformation - 使用 cloudformation 模板的 cloudtrail 日志

问题描述

在 cloud-trail 中,我可以选择 CloudWatch Logs 部分下的现有日志组 CloudTrail/DefaultLogGroup。是否可以使用 cloudformation 模板完成此步骤?

在此处输入图像描述

标签: amazon-cloudformationamazon-cloudtrail

解决方案

假设您也在使用 CloudFormation 创建日志组:

LogGroup: # A new log group
  Type: AWS::Logs::LogGroup
  Properties:
    RetentionInDays: 365 # optional

CloudTrailLogsRole: # A role for your trail
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
      - Action: sts:AssumeRole
        Effect: Allow
        Principal:
          Service: cloudtrail.amazonaws.com
      Version: '2012-10-17'

CloudTrailLogsPolicy: # The policy for your role
  Type: AWS::IAM::Policy
  Properties:
    PolicyDocument:
      Statement:
      - Action:
        - logs:PutLogEvents
        - logs:CreateLogStream
        Effect: Allow
        Resource:
          Fn::GetAtt:
          - LogGroup
          - Arn
      Version: '2012-10-17'
    PolicyName: DefaultPolicy
    Roles:
    - Ref: CloudTrailLogsRole

CloudTrail: # The trail
  Type: AWS::CloudTrail::Trail
  Properties:
    IsLogging: true
    CloudWatchLogsLogGroupArn:
      Fn::GetAtt:
      - LogGroup
      - Arn
    CloudWatchLogsRoleArn:
      Fn::GetAtt:
      - CloudTrailLogsRole
      - Arn
  DependsOn:
  - CloudTrailLogsPolicy
  - CloudTrailLogsRole

如果使用现有的日志组:

CloudTrailLogsRole: # A role for your trail
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
      - Action: sts:AssumeRole
        Effect: Allow
        Principal:
          Service: cloudtrail.amazonaws.com
      Version: '2012-10-17'

CloudTrailLogsPolicy: # The policy for your role
  Type: AWS::IAM::Policy
  Properties:
    PolicyDocument:
      Statement:
      - Action:
        - logs:PutLogEvents
        - logs:CreateLogStream
        Effect: Allow
        Resource: <your existing log group arn here>
      Version: '2012-10-17'
    PolicyName: DefaultPolicy
    Roles:
    - Ref: CloudTrailLogsRole

CloudTrail: # The trail
  Type: AWS::CloudTrail::Trail
  Properties:
    IsLogging: true
    CloudWatchLogsLogGroupArn: <your existing log group arn here>
    CloudWatchLogsRoleArn:
      Fn::GetAtt:
      - CloudTrailLogsRole
      - Arn
  DependsOn:
  - CloudTrailLogsPolicy
  - CloudTrailLogsRole

推荐阅读