Skip to content
/ terraform-aws-cloudtrail-baseline Public

CloudTrail 설정하고 이벤트를 CloudWatch Logs 로 전송

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

VntgCorp/terraform-aws-cloudtrail-baseline

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
main.tf
main.tf
 
 
migrations.tf
migrations.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

코드 변경사항

기본 소스 : https://github.com/nozaq/terraform-aws-secure-baseline/tree/main/modules/cloudtrail-baseline

위 소소를 이용하여 만들었으며 일부 변경사항 있음

cloudtrail-baseline

Enable CloudTrail in all regions and deliver events to CloudWatch Logs. CloudTrail logs are encrypted using AWS Key Management Service.

Requirements

Name Version
terraform >= 1.1.4
aws >= 4.2.0

Providers

Name Version
aws 4.9.0

Modules

No modules.

Resources

Name Type
aws_cloudtrail.global resource
aws_cloudwatch_log_group.cloudtrail_events resource
aws_iam_role.cloudwatch_delivery resource
aws_iam_role_policy.cloudwatch_delivery_policy resource
aws_kms_alias.cloudtrail resource
aws_kms_key.cloudtrail resource
aws_sns_topic.cloudtrail_sns_topic resource
aws_sns_topic_policy.local_account_cloudtrail resource
aws_iam_policy_document.cloudtrail_key_policy data source
aws_iam_policy_document.cloudtrail_sns_policy data source
aws_iam_policy_document.cloudwatch_delivery_assume_policy data source
aws_iam_policy_document.cloudwatch_delivery_policy data source

Inputs

Name Description Type Default Required
aws_account_id The AWS Account ID number of the account. string n/a yes
cloudtrail_depends_on External resources which should be set up before CloudTrail. list(any) [] no
cloudtrail_name The name of the trail. string "cloudtrail-multi-region" no
cloudtrail_sns_topic_enabled Specifies whether the trail is delivered to a SNS topic. bool false no
cloudtrail_sns_topic_name The SNS topic linked to the CloudTrail string "cloudtrail-multi-region-sns-topic" no
cloudwatch_logs_enabled Specifies whether the trail is delivered to CloudWatch Logs. bool true no
cloudwatch_logs_group_name The name of CloudWatch Logs group to which CloudTrail events are delivered. string "cloudtrail-multi-region" no
cloudwatch_logs_retention_in_days Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. number 365 no
dynamodb_event_logging_tables The list of DynamoDB table ARNs on which to enable event logging. list(string) 
[
  "arn:aws:dynamodb"
]
 no
event_selector Specifies an event selector for enabling data event logging. 
list(object({
    include_management_events = bool
    read_write_type           = string

    data_resource = list(object({
      type   = string
      values = list(string)
    }))
  }))
 [] no
iam_role_name The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. string "CloudTrail-CloudWatch-Delivery-Role" no
iam_role_policy_name The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. string "CloudTrail-CloudWatch-Delivery-Policy" no
is_organization_trail Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. bool false no
key_deletion_window_in_days Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. number 10 no
kms_alias KMS alias string "alias/cloudtrail-logs" no
lambda_invocation_logging_lambdas The list of lambda ARNs on which to enable invocation logging. list(string) 
[
  "arn:aws:lambda"
]
 no
region The AWS region in which CloudTrail is set up. string n/a yes
s3_bucket_name The name of the S3 bucket which will store configuration snapshots. string n/a yes
s3_key_prefix The prefix for the specified S3 bucket. string "" no
s3_object_level_logging_buckets The list of S3 bucket ARNs on which to enable object-level logging. list(string) 
[
  "arn:aws:s3:::"
]
 no
tags Specifies object tags key and value. This applies to all resources created by this module. map(string) {} no

Outputs

Name Description
cloudtrail The trail for recording events in all regions.
cloudtrail_sns_topic The sns topic linked to the cloudtrail.
kms_key The KMS key used for encrypting CloudTrail events.
log_delivery_iam_role The IAM role used for delivering CloudTrail events to CloudWatch Logs.
log_group The CloudWatch Logs log group which stores CloudTrail events.

About

CloudTrail 설정하고 이벤트를 CloudWatch Logs 로 전송

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages