This is a terraform module that creates an Amazon Web Services (AWS) CloudTrail integration with Bridgecrew.
This stack is created with all the best practices and CIS benchmark requirements:
- A dedicated CMK is created, with rotation enabled.
- A CloudTrail trail is created, and it's logs are encrypted-at-rest using the dedicated CMK.
- The logs bucket has Versioning enabled and denies unsecure (non-HTTPS) connections.
The module supports connecting to an existing CloudTrail trail. This requires 3 inputs:
- Setting
create_cloudtrailto false. - Supplying the name of the bucket where the CloudTrail logs are being saved to, as
existing_bucket_name. - Supplying the ARN of the SNS used by the trail to notify of new logs, in
existing_sns_arn. This can be configured manually on the existing trail.
This module supports creating a CloudTrail trail in one account, and creating the rest of the infrastructure in a seperate account. This may be optimal in cases where you want an organization trail from the organization master, but you want it to send logs to a bucket in a logs account.
- Set
create_cloudtrailto false. - Set
source_account_idto the account that will host the cloudtrail
- Set
existing_bucket_name,existing_kms_key_arn, andexisting_sns_arnto values output in the previous step - Set
create_bridgecrew_connectionto false
In both accounts, be sure to set the organization_id if this is an organization-wide trail.
WIP
| Name | Required? | Type | Default Value | Example Value | Description |
|---|---|---|---|---|---|
| company_name | YES | String | testcustomer | The name of the customer. Must be alphanumeric. | |
| account_alias | NO | String | prod | The alias of the account the CF is deployed in. This will be prepended to all the resources in the stack. Default is {company_name}-bc | |
| create_cloudtrail | NO | Boolean | true | false | Indicate whether a new CloudTrail trail should be created. |
| create_bridgecrew_connection | NO | Boolean | true | false | Indicate whether an SNS queue and role for Bridgecrew should be created in this account. |
| log_file_prefix | NO | String | cloudtrail | The prefix which will be given to all the log files saved to the bucket. | |
| existing_sns_arn | NO | String | arn:aws:sns:us-east-1:090772183824:test-bc-bridgecrewcws | When connecting to an existing SNS topic, please supply the trail's SNS ARN. | |
| existing_bucket_name | NO | String | test-bc-bridgecrewcws | When connecting to an existing CloudTrail bucket, please supply the bucket name (NOT ARN). | |
| existing_kms_key_arn | NO | String | arn:aws:kms:us-east-1:090772183824:key/c79ebdc6-bb68-4e83-805f-be5304c10f1e | When using an existing KMS Key (to be accessed by Bridgecrew), specify the existing KMS key ARN. | |
| security_account_id | NO | String | "" | 12345678900 | When connecting to a centralized CloudTrail bucket setup, please supply the ID of the AWS account that hosts the CloudTrail log bucket. We must be deployed in that central logging account beforehand for the integration to work correctly. |
| source_account_id | NO | String | 090772183824 | When cloudtrail in another account is connecting to buckets and sns topics in this account, specify the account ID of that account. | |
| organization_id | NO | String | o-sv720a91a0 | When creating an organization-wide cloudtrail from the organization master. | |
| logs_bucket_id | NO | String | cloudtrail-logs-bucket | Bucket to place access logs from the cloudtrail bucket (defaults to no logs) | |
| logs_file_expiration | NO | Number | 30 | 90 | How long to keep Cloudtrail logs in the bucket. |
| debug_policy | NO | Bool | true | false | Whether to give Bridgecrew read-only debugging access. |
| Name | Example Value | Description |
|---|---|---|
| stack_id | arn:aws:cloudformation:us-east-1:090772183824:stack/test-bridgecrew/daeed550-fa25-11e9-b98a-0e23fbf2c85e | The identifier of the stack that was created |