- cloudtrail.tf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 |
resource "aws_kms_key" "cloudwatch" { description = "KMS key for CloudWatch Logs encryption" deletion_window_in_days = 10 enable_key_rotation = true policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "Allow Account Administration of the KMS Key", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::${data.aws_caller_identity.current_user.account_id}:root" }, "Action" : "kms:*", "Resource" : "*" }, { "Sid" : "Allow CloudWatch Logs", "Effect" : "Allow", "Principal" : { "Service" : "logs.ap-northeast-1.amazonaws.com" }, "Action" : [ "kms:*" ], "Resource" : "*" }, { "Sid" : "Allow CloudTrail", "Effect" : "Allow", "Principal" : { "Service" : "cloudtrail.amazonaws.com" }, "Action" : [ "kms:*" ], "Resource" : "*" }, { "Sid" : "AllowAccount-hoge-Decrypt", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::${local.hoge_account_id}:root" }, "Action" : [ "kms:Decrypt" ], "Resource" : "*" } ] }) } resource "aws_kms_alias" "cloudwatch" { name = "alias/cloudwatch-kms-${var.environment}" target_key_id = aws_kms_key.cloudwatch.key_id } resource "aws_cloudwatch_log_group" "cloudtrail" { name = "/aws/cloudtrail/hoge-cloudtrail-${var.environment}" retention_in_days = 7 kms_key_id = aws_kms_key.cloudwatch.arn } resource "aws_iam_role" "cloudtrail_cloudwatch" { name = "cloudtrail-cloudwatch-logs-role-${var.environment}" assume_role_policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [{ "Effect" : "Allow", "Principal" : { "Service" : "cloudtrail.amazonaws.com" }, "Action" : "sts:AssumeRole" }] }) } resource "aws_iam_role_policy" "cloudtrail_cloudwatch" { role = aws_iam_role.cloudtrail_cloudwatch.id policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Action" : [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource" : [ "arn:aws:logs:ap-northeast-1:${data.aws_caller_identity.current_user.account_id}:log-group:${aws_cloudwatch_log_group.cloudtrail.name}:log-stream:${data.aws_caller_identity.current_user.account_id}_CloudTrail_ap-northeast-1*" ] } ] }) } resource "aws_cloudtrail" "cloudtrail" { depends_on = [aws_cloudwatch_log_group.cloudtrail] name = "hoge-cloudtrail-${var.environment}" s3_bucket_name = "hoge-cloudtrail" include_global_service_events = true is_multi_region_trail = true enable_logging = true kms_key_id = aws_kms_key.cloudwatch.arn enable_log_file_validation = true event_selector { read_write_type = "All" include_management_events = true data_resource { type = "AWS::S3::Object" values = ["arn:aws:s3:::hoge-cloudtrail/AWSLogs/${data.aws_caller_identity.current_user.account_id}/"] } } cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*" cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cloudwatch.arn } |
- s3_cloudtrails.tf(cross account)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
~省略~ resource "aws_s3_bucket_policy" "cloudtrail_reports_policy" { bucket = aws_s3_bucket.cloudtrail_hoge.id policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AWSCloudTrailAclCheck20150319", "Effect" : "Allow", "Principal" : { "Service" : "cloudtrail.amazonaws.com" }, "Action" : "s3:GetBucketAcl", "Resource" : "arn:aws:s3:::hoge-cloudtrail" }, { "Sid" : "AWSCloudTrailWrite20150319", "Effect" : "Allow", "Principal" : { "Service" : "cloudtrail.amazonaws.com" }, "Action" : "s3:PutObject", "Resource" : [ "arn:aws:s3:::hoge-cloudtrail-/AWSLogs/${local.hoge_account_id}/*", ], "Condition" : { "StringEquals" : { "s3:x-amz-acl" : "bucket-owner-full-control" } } }, { "Sid" : "AllowAccountFullAccess", "Effect" : "Allow", "Principal" : { "AWS" : [ "arn:aws:iam::${local.hoge_account_id}:root", ] }, "Action" : [ "s3:GetObject", "s3:PutObject", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource" : [ "arn:aws:s3:::hoge-cloudtrail", "arn:aws:s3:::hoge-cloudtrail/*" ] } ] }) } |
Was this helpful?
0 / 0
1989年生まれのFindy/SRE。ホスティングから大規模なアドテクなどのインフラエンジニアとして携わる。現在はサービスの信頼性向上、DevOps、可用性、レイテンシ、パフォーマンス、モニタリング、オブザーバビリティ、緊急対応、AWSでのインフラ構築、Docker開発環境の提供、IaC、新技術の検証、リファクタリング、セキュリティ強化、分析基盤の運用などを担当している。個人事業主では数社サーバー保守とベンチャー企業のSREインフラコンサルティングやMENTA/TechBullで未経験者にインフラのコーチング/コミュニティマネージャーとして立ち上げと運営をしている。また、過去「脆弱性スキャナVuls」のOSS活動もしており、自称エバンジェリスト/技術広報/テクニカルサポート/コントリビュータでもある。