{CloudTrail}AWS Command Line Interface による組織の証跡の作成

https://docs.aws.amazon.com/ja_jp/awscloudtrail/latest/userguide/creating-trail-organization.html

-- 1. コマンド等のインストール

-- 1.1 aws cli version 2 インストール

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

aws --version

-- 1.2 jqインストール
sudo yum -y install jq

 

-- 2. S3 バケットを作成する


aws s3 mb s3://bucket123

aws s3 ls


-- 3. バケットポリシーの追加

vim s3_policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::bucket123"
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket123/AWSLogs/999999999999/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:ap-northeast-1:999999999999:trail/trail01"
                }
            }
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket123/AWSLogs/o-1111111111/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:ap-northeast-1:999999999999:trail/trail01"
                }
            }
        }
    ]
}


aws s3api put-bucket-policy \
--bucket bucket123 \
--policy file://s3_policy.json

aws s3api get-bucket-policy \
--bucket bucket123

-- 4. AWS Organizations で信頼済みサービスとして CloudTrail を有効にする

aws organizations enable-all-features

aws organizations list-aws-service-access-for-organization

aws organizations \
enable-aws-service-access \
--service-principal cloudtrail.amazonaws.com

 

-- 5. 証跡の作成

aws cloudtrail create-trail  \
--name trail01  \
--s3-bucket-name bucket123  \
--include-global-service-events  \
--is-multi-region-trail  \
--enable-log-file-validation  \
--is-organization-trail


aws cloudtrail list-trails
aws cloudtrail describe-trails
aws cloudtrail get-trail \
--name trail01


aws cloudtrail get-event-selectors \
--trail-name trail01

 


-- 6. ログ記録の開始
aws cloudtrail get-trail-status \
--name trail01

aws cloudtrail start-logging \
--name trail01


-- 7. 動作確認


aws s3 ls s3://bucket123 --recursive


aws s3 cp s3://bucket123/AWSLogs/o-1111111111/888888888888/CloudTrail/ap-northeast-1/2022/03/21/888888888888_CloudTrail_ap-northeast-1_20220321T1235Z_xxxxxxxxxxxxxxxx.json.gz - |zcat |jq

aws s3 cp s3://bucket123/AWSLogs/o-1111111111/999999999999/CloudTrail/ap-northeast-1/2022/03/21/999999999999_CloudTrail_ap-northeast-1_20220321T1240Z_xxxxxxxxxxxxxxxx.json.gz - |zcat |jq

 


-- 8. クリーンアップ

-- 証跡の削除
aws cloudtrail describe-trails

aws cloudtrail delete-trail \
--name trail01

 

-- バケットの削除

aws s3 ls
aws s3 rb s3://bucket123  --force