https://github.com/rhythmictech/terraform-aws-cloudtrail-logging
Configure CloudTrail logging to CloudWatch Logs and S3
https://github.com/rhythmictech/terraform-aws-cloudtrail-logging
aws cloudtrail logging terraform terraform-module terraform-modules
Last synced: 7 months ago
JSON representation
Configure CloudTrail logging to CloudWatch Logs and S3
- Host: GitHub
- URL: https://github.com/rhythmictech/terraform-aws-cloudtrail-logging
- Owner: rhythmictech
- License: mit
- Created: 2019-06-02T17:54:57.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2022-03-08T14:12:02.000Z (almost 4 years ago)
- Last Synced: 2025-04-26T03:44:02.674Z (10 months ago)
- Topics: aws, cloudtrail, logging, terraform, terraform-module, terraform-modules
- Language: HCL
- Homepage: https://registry.terraform.io/modules/rhythmictech/logging/cloudtrail
- Size: 30.3 KB
- Stars: 8
- Watchers: 1
- Forks: 6
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
# terraform-aws-cloudtrail-logging
[](https://github.com/rhythmictech/terraform-aws-cloudtrail-logging/actions?query=workflow%3Atflint+event%3Apush+branch%3Amaster)
[](https://github.com/rhythmictech/terraform-aws-cloudtrail-logging/actions?query=workflow%3Atfsec+event%3Apush+branch%3Amaster)
[](https://github.com/rhythmictech/terraform-aws-cloudtrail-logging/actions?query=workflow%3Ayamllint+event%3Apush+branch%3Amaster)
[](https://github.com/rhythmictech/terraform-aws-cloudtrail-logging/actions?query=workflow%3Amisspell+event%3Apush+branch%3Amaster)
[](https://github.com/rhythmictech/terraform-aws-cloudtrail-logging/actions?query=workflow%3Apre-commit-check+event%3Apush+branch%3Amaster)
Configure CloudTrail logging to CloudWatch Logs and S3. When used with [CloudTrail Bucket module](https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket), this properly configures CloudTrail logging with a KMS CMK as required by CIS.
Logs can easily be centralized to a central security logging account by creating a bucket in a single account and referencing the bucket and KMS key.
## Usage
```
module "cloudtrail-logging" {
source = "git::https://github.com/rhythmictech/terraform-cloudtrail-logging"
region = var.region
cloudtrail_bucket = module.cloudtrail-bucket.bucket_name
kms_key_id = module.cloudtrail-bucket.kms_key_id
}
```
## Requirements
| Name | Version |
|------|---------|
| terraform | >= 0.12.20 |
## Providers
| Name | Version |
|------|---------|
| aws | n/a |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| cloudtrail\_bucket | Name of bucket for CloudTrail logs | `string` | n/a | yes |
| kms\_key\_id | KMS key ARN to use for encrypting CloudTrail logs | `string` | n/a | yes |
| region | Region that CloudWatch logging and the S3 bucket will live in | `string` | n/a | yes |
| cloudtrail\_name | Name for the CloudTrail | `string` | `"cloudtrail-all"` | no |
| iam\_path | Path under which to put the IAM role. Should begin and end with a '/'. | `string` | `"/"` | no |
| lambda\_functions | Lambda functions to log. Specify `["arn:aws:lambda"]` for all, or `[ ]` for none. | `list` | `[]` | no |
| log\_group\_name | Name for CloudTrail log group | `string` | `"cloudtrail2cwl"` | no |
| retention\_in\_days | How long should CloudTrail logs be retained in CloudWatch (does not affect S3 storage). Set to -1 for indefinite storage. | `number` | `7` | no |
| s3\_object\_level\_buckets | ARNs of buckets for which to enable object level logging. Specify `["arn:aws:s3:::"]` for all, or `[ ]` for none. If listing ARNs, make sure to end each one with a `/`. | `list` | `[]` | no |
| tags | Mapping of any extra tags you want added to resources | `map(string)` | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
| cloudwatch\_loggroup\_arn | The arn of the CloudWatch log group |
| cloudwatch\_loggroup\_name | The name of the CloudWatch log group |
## Related Projects
* [CloudTrail Bucket module](https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket)