Configure CloudTrail logging to CloudWatch Logs and S3. When used with CloudTrail Bucket module, this properly configures CloudTrail logging with a KMS CMK as required by CIS.
Logs can easily be centralized to a central security logging account by creating a bucket in a single account and referencing the bucket and KMS key.
Region that CloudWatch logging and the S3 bucket will live in
string
n/a
yes
cloudtrail_name
Name for the CloudTrail
string
"cloudtrail-all"
no
iam_path
Path under which to put the IAM role. Should begin and end with a '/'.
string
"/"
no
lambda_functions
Lambda functions to log. Specify ["arn:aws:lambda"] for all, or [ ] for none.
list
[]
no
log_group_name
Name for CloudTrail log group
string
"cloudtrail2cwl"
no
retention_in_days
How long should CloudTrail logs be retained in CloudWatch (does not affect S3 storage). Set to -1 for indefinite storage.
number
7
no
s3_object_level_buckets
ARNs of buckets for which to enable object level logging. Specify ["arn:aws:s3:::"] for all, or [ ] for none. If listing ARNs, make sure to end each one with a /.
list
[]
no
tags
Mapping of any extra tags you want added to resources