Review and update your configurations to enable AMS Accelerate to use your CloudTrail trail - AMS Accelerate User Guide

Review and update your configurations to enable AMS Accelerate to use your CloudTrail trail

AMS Accelerate relies on AWS CloudTrail logging in order to manage audits and compliance for all resources in your account. During onboarding, you choose whether Accelerate deploys a CloudTrail trail in your primary AWS Region or uses events generated by your existing CloudTrail account or Organization trail. If your account does not have a trail configured, then Accelerate will deploy a managed CloudTrail trail during onboarding.

Important

CloudTrail log management configuration is only required when you choose to integrate AMS Accelerate with your CloudTrail account or Organization trail.

Review your CloudTrail trail configurations, Amazon S3 bucket policy, and AWS KMS key policy for your CloudTrail events delivery destination with your Cloud Architect (CA)

Before Accelerate can use your CloudTrail trail, you must work with your Cloud Architect (CA) to review and update your configurations to meet Accelerate requirements. If you choose to integrate Accelerate with your CloudTrail Organization trail, then your CA works with you to update your CloudTrail events delivery destination Amazon S3 bucket and AWS KMS key policies to enable cross-account queries from your Accelerate account. Your Amazon S3 bucket can be in an account that's managed by Accelerate, or an account that you manage. During onboarding, Accelerate validates that queries can be made to your CloudTrail Organization trail events delivery destination, and pauses the onboarding if the queries fail. You work with your CA to correct these configurations so that onboarding can resume.

Review and update your CloudTrail account or Organization trail configurations

The following configurations are required to integrate Accelerate CloudTrail log management your CloudTrail account or Organization trail resources:

  • Your CloudTrail trail is configured to log events from all AWS Regions.

  • Your CloudTrail trail has global service events enabled.

  • Your CloudTrail account or Organization trail logs all management events, including read and write events, and AWS KMS and Amazon RDS Data API event logging is enabled.

  • Your CloudTrail trail has log file integrity validation enabled.

  • The Amazon S3 bucket your CloudTrail trail delivers events to encrypts events using either SSE-S3 or SSE-KMS encryption.

  • The Amazon S3 bucket your CloudTrail trail delivers event to has server access logging enabled.

  • The Amazon S3 bucket your CloudTrail trail delivers event to has a lifecycle configuration that retains your CloudTrail trail data for at least 18 months.

  • The Amazon S3 bucket your CloudTrail trail delivers event to has Object Ownership set to Bucket owner enforced.

  • The Amazon S3 bucket your CloudTrail trail delivers event to is accessible by Accelerate.

Review and update the Amazon S3 bucket policy for your CloudTrail events delivery destination

During onboarding, you work with your Cloud Architect (CA) to add Amazon S3 bucket policy statements to your CloudTrail events delivery destination. To enable your users to query changes in your CloudTrail events delivery destination Amazon S3 bucket from your Accelerate account, you can deploy a uniformly named IAM role in each account in your Organization that Accelerate manages, and add it to the aws:PrincipalArn list in all Amazon S3 bucket policy statements. With this configuration, your users can query and analyze your account's CloudTrail Organization trail events in Accelerate using Athena. For more information about how to update an Amazon S3 bucket policy, see Adding a bucket policy by using the Amazon S3 console in the Amazon Simple Storage Service User Guide.

Important

Updating your Amazon S3 bucket policy is required only when Accelerate integrates with a CloudTrail trail that delivers events to a centralized S3 bucket. Accelerate doesn't support integrating with a CloudTrail trail that delivers to a centralized bucket but doesn't have the accounts under an AWS Organization.

Note

Before updating your Amazon S3 bucket policy, replace red fields with applicable values:

  • YOUR-S3-BUCKET-NAME with the name of the Amazon S3 bucket that contains the trail events from your accounts.

  • YOUR-ORGANIZATION-ID with the ID of the AWS Organization that your accounts are a member of.

  • YOUR-OPTIONAL-S3-LOG-DELIVERY-PREFIX with your CloudTrail trail's Amazon S3 bucket delivery prefix. For example, my-bucket-prefix, that you might have set when you created your CloudTrail trail.

    If you haven't configured a Amazon S3 bucket delivery prefix for your trail, then remove "YOUR-OPTIONAL-S3-LOG-DELIVERY-PREFIX" and the proceeding forward slash (/) from the following Amazon S3 bucket policy statements.

The following three Amazon S3 bucket policy statements grant Accelerate access to retrieve the configurations of and run AWS Athena queries to analyze the CloudTrail events in your events delivery destination Amazon S3 bucket from your Accelerate account.

{ "Sid": "DONOTDELETE-AMS-ALLOWBUCKETCONFIGAUDIT", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "s3:GetBucketLogging", "s3:GetBucketObjectLockConfiguration", "s3:GetLifecycleConfiguration", "s3:GetEncryptionConfiguration" ], "Resource": "arn:aws:s3:::YOUR-S3-BUCKET-NAME", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "YOUR-ORGANIZATION-ID" }, "ArnLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/ams-access-*" ] } } }, { "Sid": "DONOTDELETE-AMS-ALLOWLISTBUCKET", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::YOUR-S3-BUCKET-NAME", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "athena.amazonaws.com" }, "StringLike": { "s3:prefix": "YOUR-OPTIONAL-S3-LOG-DELIVERY-PREFIX/AWSLogs/*" }, "StringEquals": { "aws:PrincipalOrgID": "YOUR-ORGANIZATION-ID" }, "ArnLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/ams-access-*" ] } } }, { "Sid": "DONOTDELETE-AMS-ALLOWGETOBJECT", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::YOUR-S3-BUCKET-NAME/YOUR-OPTIONAL-S3-LOG-DELIVERY-PREFIX/AWSLogs/*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "athena.amazonaws.com" }, "StringEquals": { "aws:PrincipalOrgID": "YOUR-ORGANIZATION-ID" }, "ArnLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/ams-access-*" ] } } }

Review and update the AWS KMS key policy for your CloudTrail events delivery destination

During onboarding, you work with your Cloud Architect (CA) to update the AWS KMS key policy used to encrypt the CloudTrail trail events delivered to your Amazon S3 bucket. Make sure that you append the reference AWS KMS key policy statements to your existing AWS KMS key. This configures Accelerate to integrate with your existing CloudTrail trail event delivery destination Amazon S3 bucket and decrypt events. To enable your users to query changes in your CloudTrail events delivery destination Amazon S3 bucket from your Accelerate account, you can deploy a uniformly named IAM Role in each account in your Organization that Accelerate is managing, and add it to the "aws:PrincipalArn" list. With this configuration, your users can query events.

There are different AWS KMS key policy update scenarios to consider. You might only have a AWS KMS key configured to your CloudTrail trail to encrypt all events, and not have a AWS KMS key that encrypts objects in your Amazon S3 bucket. Or, you might have one AWS KMS key that encrypts events delivered by CloudTrail, and another AWS KMS key that encrypts all objects stored in your Amazon S3 bucket. When you have two AWS KMS keys, you update the AWS KMS key policy for each key to grant Accelerate access to your CloudTrail events. Make sure that you amend the reference AWS KMS key policy statement to your existing AWS KMS key policy before you update the policy. For more information about how to update a AWS KMS key policy, see Changing a key policy in the AWS Key Management Service User Guide.

Important

You're required to update your AWS KMS key policy only when Accelerate integrates with a CloudTrail trail with log file SSE-KMS encryption enabled.

Note

Before you apply this AWS KMS key policy statement to the AWS KMS key used to encrypt your AWS CloudTrail events delivered to your Amazon S3 bucket, replace the following red fields with applicable values:

  • YOUR-ORGANIZATION-ID with the ID of the AWS Organization your accounts are a member of.

This AWS KMS key policy statement grants Accelerate access to decrypt and query trail events delivered to Amazon S3 bucket from each account in your Organization with access restricted to Athena, used by Accelerate to query and analyze CloudTrail events..

{ "Sid": "DONOTDELETE-AMS-ALLOWTRAILOBJECTDECRYPTION", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "athena.amazonaws.com" }, "StringEquals": { "aws:PrincipalOrgID": "YOUR-ORGANIZATION-ID" }, "ArnLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/ams-access-*" ] } } }