AWS S3 Bucket for Multi-Account Cloudtrail Storage Terraform module

Terraform module which creates an AWS S3 Bucket for Multi-Account Cloudtrail logs.

This is an opinionated tool for setting up a central bucket in an audit account to house multiple cloudtrail logs streams. Not recommended for trails with data events due to cost.

Features:

• AWS S3 default encryption for data at rest
• 365 day object lock in GOVERNANCE mode to prevent source file issues
• 366 day auto expiration

Usage

module "cloudtrail_s3" {
  source = "platformod/cloudtrail-s3"
  version = 0.CHANGE_ME

  # will get '-cloudtrail' appended
  name = "my-org-all-accounts"

  # Needs a list of maps with the accounts and trail arn that will write to this bucket.
  account_trails = [
    {account = 111111111111, arn = "arn:aws:cloudtrail:us-east-99:111111111111:trail/trail-name"},
    {account = 222222222222, arn = "arn:aws:cloudtrail:us-westish-42:222222222222:trail/trailier-name"},
  ]
}

• Complete

Requirements

Name	Version
terraform	>= 1.0
aws	>= 4.0

Providers

Name	Version
aws	5.41.0

Modules

Name	Source	Version
bucket	terraform-aws-modules/s3-bucket/aws	4.1.1

Resources

Name	Type
aws_iam_policy_document.bucket	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
account_trails	Mapping of AWS account id's to trail arns to allow write access for	list( object( { account = number arn = string } ) )	n/a	yes
name	A name prefix for the bucket, will have '-cloudtrail' appended	string	n/a	yes

Outputs

Name	Description
s3_bucket_arn	The AWS ARN of the bucket
s3_bucket_id	The name of the bucket

Tests

The tests in this repo will create and destroy real resources at AWS and incur cost. Please be careful when running them.

Thanks

Heavily inspired from the following repos

• https://github.com/cloudposse/terraform-aws-s3-log-storage
• https://github.com/terraform-aws-modules/terraform-aws-s3-bucket

License

MPL-2.0 Licensed. See LICENSE.