Skip to content

Latest commit

 

History

History

cloudtrail-baseline

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
migrations.tf
migrations.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

cloudtrail-baseline

Enable CloudTrail in all regions and deliver events to CloudWatch Logs. CloudTrail logs are encrypted using AWS Key Management Service.

Requirements

Name Version
terraform >= 1.1.4
aws >= 4.3

Providers

Name Version
aws >= 4.3

Inputs

Name Description Type Required
aws_account_id The AWS Account ID number of the account. string yes
region The AWS region in which CloudTrail is set up. string yes
s3_bucket_name The name of the S3 bucket which will store configuration snapshots. string yes
cloudtrail_depends_on External resources which should be set up before CloudTrail. list(any) no
cloudtrail_name The name of the trail. string no
cloudtrail_sns_topic_enabled Specifies whether the trail is delivered to a SNS topic. bool no
cloudtrail_sns_topic_name The SNS topic linked to the CloudTrail string no
cloudwatch_logs_enabled Specifies whether the trail is delivered to CloudWatch Logs. bool no
cloudwatch_logs_group_name The name of CloudWatch Logs group to which CloudTrail events are delivered. string no
cloudwatch_logs_retention_in_days Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. number no
dynamodb_event_logging_tables The list of DynamoDB table ARNs on which to enable event logging. list(string) no
iam_role_name The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. string no
iam_role_policy_name The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. string no
is_organization_trail Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. bool no
key_deletion_window_in_days Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. number no
lambda_invocation_logging_lambdas The list of lambda ARNs on which to enable invocation logging. list(string) no
permissions_boundary_arn The permissions boundary ARN for all IAM Roles, provisioned by this module string no
s3_key_prefix The prefix for the specified S3 bucket. string no
s3_object_level_logging_buckets The list of S3 bucket ARNs on which to enable object-level logging. list(string) no
tags Specifies object tags key and value. This applies to all resources created by this module. map(string) no

Outputs

Name Description
cloudtrail The trail for recording events in all regions.
cloudtrail_sns_topic The sns topic linked to the cloudtrail.
kms_key The KMS key used for encrypting CloudTrail events.
log_delivery_iam_role The IAM role used for delivering CloudTrail events to CloudWatch Logs.
log_group The CloudWatch Logs log group which stores CloudTrail events.