01 Run create-log-group command (OSX/Linux/UNIX) to create the CloudWatch Logs log group that Amazon CloudTrail service will use as a delivery endpoint for log events (the create-log-group command does not produce an output):
aws logs create-log-group
--region us-east-1
--log-group-name cc-project5-trail-log-group
02 Run describe-log-groups command (OSX/Linux/UNIX) to describe the Amazon Resource Name (ARN) of the CloudWatch Logs log group created at the previous step:
aws logs describe-log-groups
--region us-east-1
--log-group-name-prefix cc-project5-trail-log-group
--query 'logGroups[*].arn'
03 The command output should return the requested log group ARN:
[
"arn:aws:logs:us-east-1:123456789012:log-group:cc-project5-trail-log-group:*"
]
04 Define the trust relationship policy for the required IAM role. Paste the following policy document to a JSON file named cc-iam-role-trust-policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
05 Run create-role command (OSX/Linux/UNIX) to create the IAM role that Amazon CloudTrail will assume in order to send CloudTrail events to your new CloudWatch Logs log group, using the trust relationship policy defined at the previous step:
aws iam create-role
--role-name cc-project5-trail-iam-role
--assume-role-policy-document file://cc-iam-role-trust-policy.json
06 The command output should return the metadata available for the new IAM role (including the role ARN):
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
}
}
]
},
"RoleId": "AAAABBBBCCCCDDDDEEEE",
"CreateDate": "2021-07-14T10:20:00Z",
"RoleName": "cc-project5-trail-iam-role",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/cc-project5-trail-iam-role"
}
}
07 Create the required IAM role policy. This IAM policy defines the permissions to create a log stream within your new CloudWatch Logs log group, and to deliver CloudTrail events to that log stream. Replace the highlighted details with your own configuration details and save the following document to a JSON file named cc-cloudtrail-iam-role-policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailCreateLogStream",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"arn:aws:logs:<aws-region>
:<aws-account-id>
:log-group:<log-group-name>
:log-stream:<aws-account-id>
_CloudTrail_<aws-region>
*"
]
},
{
"Sid": "AWSCloudTrailPutLogEvents",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:<aws-region>
:<aws-account-id>
:log-group:<log-group-name>
:log-stream:<aws-account-id>
_CloudTrail_<aws-region>
*"
]
}
]
}
08 Run put-role-policy command (OSX/Linux/UNIX) to apply the policy document defined at the previous step (i.e. cc-cloudtrail-iam-role-policy.json) to your new IAM role:
aws iam put-role-policy
--role-name cc-project5-trail-iam-role
--policy-name cc-project5-trail-iam-policy
--policy-document file://cc-cloudtrail-iam-role-policy.json
09 Run update-trail command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to reconfigure as the identifier parameter, to enable the CloudTrail – CloudWatch integration for the selected trail. Specify the ARN of the log group to which log events will be delivered and the ARN of the IAM role that Amazon CloudTrail will assume to send CloudTrail events to the required log group:
aws cloudtrail update-trail
--region us-east-1
--name cc-project5-api-trail
--cloud-watch-logs-log-group-arn "arn:aws:logs:us-east-1:123456789012:log-group:cc-project5-trail-log-group:*"
--cloud-watch-logs-role-arn "arn:aws:iam::123456789012:role/cc-project5-trail-iam-role"
10 The command output should return the metadata available for the reconfigured trail:
{
"IncludeGlobalServiceEvents": true,
"IsOrganizationTrail": false,
"Name": "cc-project5-api-trail",
"TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-project5-api-trail",
"LogFileValidationEnabled": false,
"IsMultiRegionTrail": true,
"S3BucketName": "cc-project5-cloudtrail-logs",
"CloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/cc-project5-trail-iam-role",
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:cc-project5-trail-log-group:*"
}
11 Repeat steps no. 1 – 10 for each Amazon CloudTrail trail that you want to reconfigure, available in your AWS cloud account.