Articles in this section

See more

How-to: Setup AWS to Send CloudTrail From Multiple AWS Accounts Into a Single Account

Avatar
Nadav Lavy (Greenberg)
  • Updated
Follow

Objective

The post will guide you on how to setup your AWS environment to be ready to work with the SkyFormation for AWS MT cloud connector.

In order to monitor CloudTrail from multiple AWS accounts, AWS instructs the user to forward the trails from the various accounts into a single account’s S3 Bucket, and to also setup a SQS queue that is notified when new objects are added to that bucket.
See AWS’s guides [1] [2] for what we’re attempting to acheive.

In this guide we will implement this architecture within AWS, including the creation of the collecting bucket, the sqs queue, the various accounts’ trails, all with air-tight permissions/policies,
and finally we will create an AWS IAM User with permissions to orchestrate this setup, again, with air-tight policy.

Preperation

Collect all the account numbers that will be sending CloudTrail events.
Account # can be found at My Account under Account Settings -> Account ID, as a 12 digit number, i.e. 111111111111

AWS Services Setup

In the account the will have the trails sent to it (e.g. Account A)
1. Create a S3 bucket. Keep its ARN aside. A bucket’s ARN can be found at its properties.
2. Create a SQS Queue (Both Standard and FIFO types are OK). Make sure the Queue is in the same region as the bucket. Keep its URL and ARN aside.
3. Set a policy for the SQS Queue to only allow the S3 bucket to send events to it
In SQS, select our queue -> Permissions, click “Edit Policy Document (Advanced)” and paste the following policy - modify accordingly:

 { 

        "Version": "2012-10-17", 
        "Id": "queue ARN/SQSDefaultPolicy", 
        "Statement": [ 
            { 
            "Effect": "Allow", 
            "Principal": { 
                "AWS": "*" 
            }, 
            "Action": ["SQS:SendMessage"], 
            "Resource": "queue ARN", 
            "Condition": { 
                "ArnLike": { 
                "aws:SourceArn": "bucket ARN" 
                } 
            } 
            } 
        ] 
  }
  1. Configure the S3 Bucket to notify the SQS Queue when files are added to it
    In S3, select our bucket -> Properties (Tab) -> Events -> “+ Add notification”, set a meaningful name (i.e. “Notify SQS new Files”), check “ObjectCreate (All)”, under “Send to” select “SQS Queue”, Select our queue and save.

  2. Set a policy for the S3 Bucket to only allow the accounts that are destined to send CloudTrail events to this bucket to add objects to it
    In S3, select our bucket -> Permissions -> Bucket Policy and paste the following policy - modify accordingly; add a row with the account ID for each source account:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Principal": {
            "Service": "cloudtrail.amazonaws.com"
        },
        "Action": "s3:GetBucketAcl",
        "Resource": "Bucket ARN"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "Bucket ARN/[optional] myLogFilePrefix/AWSLogs/Account ID 1/*",
                "Bucket ARN/[optional] myLogFilePrefix/AWSLogs/Account ID 2/*"
            ],
            "Condition": { 
                "StringEquals": { 
                "s3:x-amz-acl": "bucket-owner-full-control" 
                }
            }
        }
    ]
}

  3. Configure a CloudTrail for each account to send its events to our bucket in Account A

    1. Login to desired account
    2. In CloudTrail, create a new trail (or re-configure an existing one)
    3. Under “Storage location” check “No” in “Create new bucket” and set the bucket name (not ARN) of Account A

  4. Create a user with access to Read, List & Delete SQS messages, and read Objects from the S3 bucket
    In Account A, In IAM -> Users

    1. Click “Add User”, give it a meaningful name, i.e. “skyformation-integration”, check “Programmatic access” only, and click thru to complete wizard without adding permissions - Keep the Access Key and Secret aside
    2. Select the user, user Permissions Tab click “Add inline policy” (at bottom right of the permissions box)
    3. Check “Custom policy” and “Select”
    4. Name the policy accordingly, i.e. “SQS and S3 for SkyFormation”, and paste the following policy - modify accordingly
      { 
"Version": "2012-10-17", 
"Statement": [ 
    { 
    "Action": [ 
        "sqs:DeleteMessage", 
        "sqs:DeleteMessageBatch", 
        "sqs:ReceiveMessage" 
    ], 
    "Effect": "Allow", 
    "Resource": "Queue ARN" 
    }, 
    { 
    "Action": [ 
        "s3:GetObject" 
    ], 
    "Effect": "Allow", 
    "Resource": "Bucket ARN/*" 
    } 
  ] 
}
    5. Click validate policy & Apply policy

  5. Done!

    Whats Next

     

    You can now proceed with on-boarding a MultiTenant AWS connector in SkyFormation

Related articles

Comments

0 comments

Please sign in to leave a comment.