使用 cloudformation 模板的 cloudtrail 日志

cloudtrail log using cloudformation template

在 cloud-trail 中,我可以 select CloudWatch Logs 部分下的现有日志组 CloudTrail/DefaultLogGroup。是否可以使用 cloudformation 模板完成此步骤?

假设您也使用 CloudFormation 创建日志组:

LogGroup: # A new log group
  Type: AWS::Logs::LogGroup
  Properties:
    RetentionInDays: 365 # optional

CloudTrailLogsRole: # A role for your trail
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
      - Action: sts:AssumeRole
        Effect: Allow
        Principal:
          Service: cloudtrail.amazonaws.com
      Version: '2012-10-17'

CloudTrailLogsPolicy: # The policy for your role
  Type: AWS::IAM::Policy
  Properties:
    PolicyDocument:
      Statement:
      - Action:
        - logs:PutLogEvents
        - logs:CreateLogStream
        Effect: Allow
        Resource:
          Fn::GetAtt:
          - LogGroup
          - Arn
      Version: '2012-10-17'
    PolicyName: DefaultPolicy
    Roles:
    - Ref: CloudTrailLogsRole

CloudTrail: # The trail
  Type: AWS::CloudTrail::Trail
  Properties:
    IsLogging: true
    CloudWatchLogsLogGroupArn:
      Fn::GetAtt:
      - LogGroup
      - Arn
    CloudWatchLogsRoleArn:
      Fn::GetAtt:
      - CloudTrailLogsRole
      - Arn
  DependsOn:
  - CloudTrailLogsPolicy
  - CloudTrailLogsRole

如果使用现有的日志组:

CloudTrailLogsRole: # A role for your trail
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
      - Action: sts:AssumeRole
        Effect: Allow
        Principal:
          Service: cloudtrail.amazonaws.com
      Version: '2012-10-17'

CloudTrailLogsPolicy: # The policy for your role
  Type: AWS::IAM::Policy
  Properties:
    PolicyDocument:
      Statement:
      - Action:
        - logs:PutLogEvents
        - logs:CreateLogStream
        Effect: Allow
        Resource: <your existing log group arn here>
      Version: '2012-10-17'
    PolicyName: DefaultPolicy
    Roles:
    - Ref: CloudTrailLogsRole

CloudTrail: # The trail
  Type: AWS::CloudTrail::Trail
  Properties:
    IsLogging: true
    CloudWatchLogsLogGroupArn: <your existing log group arn here>
    CloudWatchLogsRoleArn:
      Fn::GetAtt:
      - CloudTrailLogsRole
      - Arn
  DependsOn:
  - CloudTrailLogsPolicy
  - CloudTrailLogsRole