Creating a CloudTrail Trail - AWS SDK for Ruby

Creating a CloudTrail Trail

This example uses the create_trail method to create a CloudTrail trail in the us-west-2 region. It requires two inputs, the name of the trail and the name of the bucket in which CloudTrail stores information. If the bucket does not have the proper policy, include the -p flag to attach the correct policy to the bucket.

Choose Copy to save the code locally.

Create the file create_trail.rb. Add the following statements to use the CloudTrail, STS, and S3 gems of the AWS SDK for Ruby.

=begin ###############################################################################

Create a function to add a policy to the bucket that gives CloudTrail permission to save data to the bucket.

Prerequisites: - You must have an AWS account. For more information, see "How do I create and activate a new Amazon Web Services account" on the AWS Premium Support website. - This code uses default AWS access credentials. For more information, see "Configuring the AWS SDK for Ruby" in the AWS SDK for Ruby Developer Guide. Running the code: To run this code, use RSpec. For example: rspec aws-ruby-sdk-cloudtrail-example-create-trail.rb -f d Additional information: - As an AWS best practice, grant this code least privilege, or only the permissions required to perform a task. For more information, see "Grant Least Privilege," in the AWS Identity and Access Management User Guide. - This code has not been tested in all AWS Regions. Some AWS services are available only in specific Regions. For more information, see the "AWS Regional Table" on the AWS website. - Running this code outside of the included RSpec tests might result in charges to your AWS account. ############################################################################### =end require 'aws-sdk-cloudtrail' require 'aws-sdk-s3' require 'aws-sdk-sts' # Creates a trail in AWS CloudTrail. class CreateTrailExample # Initialize an instance of CreateTrailExample, creating clients for AWS STS, # AWS CloudTrail, and Amazon S3 (unless already provided # during initialization). # # (The following comments express documentation about this function in YARD # format by using @ symbols.) # # @param [Hash] opts ({}) A hash of API clients for S3, STS, and CloudTrail. # @option [Aws::S3::Client] :s3_client (Aws::S3::Client) # @option [Aws::STS::Client] :sts_client (Aws::STS::Client) # @option [Aws::CloudTrail::Client] :cloudtrail_client # (Aws::CloudTrail::Client) def initialize(opts = {}) # This S3 API client is used for :put_bucket_policy. @s3 = opts[:s3_client] || Aws::S3::Client.new # This STS API client is used to get the account ID. @sts = opts[:sts_client] || Aws::STS::Client.new # This CloudTrail API client is used to create the CloudTrail resource.

Get the names of the trail and bucket, and whether to attach the policy to the bucket. If either the trail name or bucket name is missing, display an error message and exit.

# Creates the specified trail in CloudTrail. # Prerequisites: # An existing S3 bucket with the name specified in bucket_name. # # @param trail_name [String] The name of the trail to create. # @param bucket_name [String] The bucket name to associate with the trail. # @param add_bucket_policy [Boolean] (false) Set to true to add a policy # to the bucket if one does not already exist. def create_trail(trail_name, bucket_name, add_bucket_policy = false) if add_bucket_policy account_id = @sts.get_caller_identity.account @s3.put_bucket_policy( bucket: bucket_name, policy: define_policy(bucket_name, account_id) ) end @cloudtrail.create_trail( name: trail_name, s3_bucket_name: bucket_name ) rescue StandardError => e puts "Error in 'create_trail': #{e} (#{e.class})" end private

If the -p flag was specified, call add_policy to attach the policy to the bucket.

# Defines an S3 bucket policy that is compatible with CloudTrail. # Used internally by create_trail. # Prerequisites:

Create the CloudTrail client and call create_trail to create the trail. If any errors occur, print the error and quit, otherwise print a success message.

{ 'Version' => '2012-10-17', 'Statement' => [ { 'Sid' => 'AWSCloudTrailAclCheck20150319', 'Effect' => 'Allow', 'Principal' => { 'Service' => 'cloudtrail.amazonaws.com' }, 'Action' => 's3:GetBucketAcl', 'Resource' => "arn:aws:s3:::#{bucket_name}" }, { 'Sid' => 'AWSCloudTrailWrite20150319',

See the complete example on GitHub.