README.md 2.0 KB
terraform-aws-cloudtrail-logging
Configure CloudTrail logging to CloudWatch Logs and S3. When used with CloudTrail Bucket module, this properly configures CloudTrail logging with a KMS CMK as required by CIS.
Logs can easily be centralized to a central security logging account by creating a bucket in a single account and referencing the bucket and KMS key.
Usage
module "cloudtrail-logging" {
source = "git::https://github.com/rhythmictech/terraform-cloudtrail-logging"
region = var.region
cloudtrail_bucket = module.cloudtrail-bucket.bucket_name
kms_key_id = module.cloudtrail-bucket.kms_key_id
}
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloudtrail_bucket | Name of bucket for CloudTrail logs | string | n/a | yes |
| cloudtrail_name | Name for the CloudTrail | string | "cloudtrail-all" |
no |
| kms_key_id | KMS key ARN to use for encrypting CloudTrail logs | string | n/a | yes |
| log_group_name | Name for CloudTrail log group | string | "cloudtrail2cwl" |
no |
| region | Region that CloudWatch logging and the S3 bucket will live in | string | n/a | yes |
| retention_in_days | How long should CloudTrail logs be retained in CloudWatch (does not affect S3 storage). Set to -1 for indefinite storage. | number | "7" |
no |
Outputs
| Name | Description |
|---|---|
| cloudwatch_loggroup_arn | The arn of the CloudWatch log group |
| cloudwatch_loggroup_name | The name of the CloudWatch log group |