central cloudtrail s3 bucket for multiple aws accounts

How to Use a Central CloudTrail S3 Bucket for Multiple AWS Accounts?

Preparing for AWS Certified Security Specialty exam? Logging and Monitoring is an important domain in the exam blueprint with 20% weightage. So, to help you in your AWS Certified Specialty exam preparation, here we cover the the topic – How to Use a Central CloudTrail S3 Bucket for Multiple AWS Accounts that addresses the “Logging and Monitoring” domain as highlighted in the AWS Certified Security Specialty Exam Guide.

Try Now: AWS Certified Security Specilty Free Test

Let’s understand the problem statement first and then we’ll move to the solution.

Problem Statement

Nowadays, it is not uncommon for companies to have multiple AWS accounts. They could have separate accounts for different environments as shown below:

multiple aws accounts in different environments

Or maybe have different accounts for different business units as shown below:

multiple aws accounts in different business units

A very important aspect which is undertaken by organizations is to use CloudTrail to monitor all API calls. Some of the benefits of using CloudTrail are:

  • You can monitor all the activity occurring in your AWS account
  • It gives the security department to see if any malicious activity is occurring via unwarranted API calls
  • Ability to stream the API calls to CloudWatch logs or S3 buckets for further analysis

But with the advent of so many accounts, using CloudTrail and multiple S3 buckets across so many accounts is normally not an ideal solution. What’s the most efficient solution to this problem then? 

To Use a Central CloudTrail S3 Bucket for Multiple AWS Accounts, is the most-effective solution. Let’s dive deep to understand it.

Solution: Using Central CloudTrail S3 Bucket for Multiple AWS Accounts

Companies now adopt having a central Security account and stream all the CloudTrail logs into one account as shown below:

central security account

So let’s look at how you can implement central logging

Step 1) Let’s assume that your central account is called cloud-production

In S3 , first create a bucket that will hold all of the CloudTrail log files

create s3 bucket

Also Read: How to Setup and Use Amazon S3?

Step 2) Go to the bucket and add a bucket policy

adding bucket policy

  1. In the bucket policy first add a policy statement to allow CloudTrail to have the permission to get the bucket ACL
  2. Next, we need to add the permissions for the accounts to have permissions to add objects to the bucket.

Here one account 283879671964 is the account number of the production or security account

And the other account 213171387512 is the account number of another account called cloud-staging. In the next step we are going to configure the cloud-staging account to use this bucket for logging purposes.

configure cloud staging account

Step 3) Now log into the other account as shown below. Let’s refer this as the cloud-staging account

cloud staging account

Go to the CloudTrail service

Step 4) Create a new trail in this account

create new cloudtrail

Also Read: How to Setup CloudTrail?

Step 5) In the configuration for the CloudTrail, ensure to enter the S3 bucket which was created earlier in the cloud-production account.

enter s3 bucket in cloudtrail

Then go ahead and save the trail.

After some time, when you go back to your production account and go to the security bucket, you will see the log files for the cloud-staging account

log files for cloud staging account

Other Related Resources:

How to Set Right Inbound & Outbound Rules for Security Groups and NACLs?

Working with IAM and Bucket Policies

How to Grant Access to AWS Resources to the Third Party via Roles & External Id?

Summary

  • When you have multiple AWS accounts, from a security perspective, its good to have all the logs directed to a central account
  • In the central account, create a bucket to hold the logs
  • Ensure a bucket policy is in place to provide access to all other accounts the ability to add objects to the central S3 bucket
  • Then create a trail in each account and ensure that the bucket name is specified in the cloud trail
  • This is the procedure of using Central CloudTrail S3 Bucket for Multiple AWS Accounts

So, how’s your preparation going for AWS Certified Security Specialty exam? Hope this topic will help you understand the concepts and take your exam preparation one level up. Check your preparation level and give your preparation a new edge with AWS Certified Security Specialty practice tests. This practice tests series has been curated to help you prepare for the exam and get ready to pass the exam in the first attempt.

Seeking any help/assistance for your AWS Certified Security Specialty exam preparation? Write us in the comment below or reach us at Whizlabs Helpdesk, we’ll be happy to help you.

About Pavan Gumaste

Pavan Rao is a programmer / Developer by Profession and Cloud Computing Professional by choice with in-depth knowledge in AWS, Azure, Google Cloud Platform. He helps the organisation figure out what to build, ensure successful delivery, and incorporate user learning to improve the strategy and product further.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top