2

In cloud-trail, I can select the existing log group CloudTrail/DefaultLogGroup under CloudWatch Logs section. Is it possible to complete this step using cloudformation Template?

enter image description here

shantanuo
  • 31,689
  • 78
  • 245
  • 403

1 Answers1

7

Assuming you are creating the log group with CloudFormation as well:

LogGroup: # A new log group
  Type: AWS::Logs::LogGroup
  Properties:
    RetentionInDays: 365 # optional

CloudTrailLogsRole: # A role for your trail
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
      - Action: sts:AssumeRole
        Effect: Allow
        Principal:
          Service: cloudtrail.amazonaws.com
      Version: '2012-10-17'

CloudTrailLogsPolicy: # The policy for your role
  Type: AWS::IAM::Policy
  Properties:
    PolicyDocument:
      Statement:
      - Action:
        - logs:PutLogEvents
        - logs:CreateLogStream
        Effect: Allow
        Resource:
          Fn::GetAtt:
          - LogGroup
          - Arn
      Version: '2012-10-17'
    PolicyName: DefaultPolicy
    Roles:
    - Ref: CloudTrailLogsRole

CloudTrail: # The trail
  Type: AWS::CloudTrail::Trail
  Properties:
    IsLogging: true
    CloudWatchLogsLogGroupArn:
      Fn::GetAtt:
      - LogGroup
      - Arn
    CloudWatchLogsRoleArn:
      Fn::GetAtt:
      - CloudTrailLogsRole
      - Arn
  DependsOn:
  - CloudTrailLogsPolicy
  - CloudTrailLogsRole

If using an existing log group:

CloudTrailLogsRole: # A role for your trail
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
      - Action: sts:AssumeRole
        Effect: Allow
        Principal:
          Service: cloudtrail.amazonaws.com
      Version: '2012-10-17'

CloudTrailLogsPolicy: # The policy for your role
  Type: AWS::IAM::Policy
  Properties:
    PolicyDocument:
      Statement:
      - Action:
        - logs:PutLogEvents
        - logs:CreateLogStream
        Effect: Allow
        Resource: <your existing log group arn here>
      Version: '2012-10-17'
    PolicyName: DefaultPolicy
    Roles:
    - Ref: CloudTrailLogsRole

CloudTrail: # The trail
  Type: AWS::CloudTrail::Trail
  Properties:
    IsLogging: true
    CloudWatchLogsLogGroupArn: <your existing log group arn here>
    CloudWatchLogsRoleArn:
      Fn::GetAtt:
      - CloudTrailLogsRole
      - Arn
  DependsOn:
  - CloudTrailLogsPolicy
  - CloudTrailLogsRole
jogold
  • 6,667
  • 23
  • 41
  • Thanks for the answer. I am using a template that I found here. https://datameetgeobk.s3.amazonaws.com/cftemplates/audit_trail.yaml Is it possible to modify that template? – shantanuo Oct 23 '19 at 14:14
  • 1
    You will need to add the `LogGroup`, `CloudTrailLogsRole` and `CloudTrailLogsPolicy` resources to your template and then update the `Trail` resource: add the two `DependsOn` and add `CloudWatchLogsLogGroupArn` and `CloudWatchLogsRoleArn` properties as described above. – jogold Oct 23 '19 at 14:22