[CONTROL TOWER] Change CloudTrail Org trail Log Group name
Aim
Our organization had a functional requirement where the name of the CloudWatch Log Group for the Org trail needs to be in a certain format.
Justification
By creating duplicate Trails across the landing zone, we've analyzed that the cost is high, purely for this compliance (by creating individual account Trails in each of our workload accounts).
The Control Tower-configured Org trail is default and cannot be changed directly in the Control Tower's management account: aws-controltower/CloudTrailLogs:
Steps taken to recreate this issue
WIthin the AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER CFN stack set, I've tried changing the ManagedResourcePrefix parameter:
However, I'm presented with this error when changing the ManagedResourcePrefix parameter:
- Newest
- Most votes
- Most comments
Hi,
Based on the requirements, it seems that you may not require AWS Control Tower to setup an organization trail, instead you may want to create your own with customization.
If that assumption is right, then you can opt out configuring cloudtrails in Control Tower and it won't create trail for you and later you can create one with all the custom names/formats etc. Here is how you can opt out Optionally configure AWS CloudTrail trails.
Interestingly, this document is briefing about your situation as well where it's mentioning that it may incur additional cost if you keep Org trail provisioned by control tower and create your custom ones too, which is obvious.
Edit: If you only need to modify this, I would be curious to see if there is any iam role attached to cloudformation, if so then take a look at it’s permissions for cloudtrail, log group and try adding broader set of permissions to let it pass the way you want, specifically delete permissions for cloudtrail and cloudwatch, as this parameter(ManagedResourcePrefix) value change, it would trigger the deletion of existing trail and once IAM role attached to CFN would have that permission, it should pass through fairly easily.
Throwing up some additional documents around Control Tower Customization and commissioning/decommissioning:
References:
Thanks for your response!
However, we still need the organizational trail for our managed services operations.
The customized log group naming convention were only for a selected few accounts to be piped over to external parties as a CloudWatch logs group subscription filter (if possible, in order only to cherry-pick logs from the workload accounts).
In the event that we change any CloudTrail settings, it might trigger a detected drift in Control Tower, which is intended and something we want to avoid.
Apart from the naming convention of the log group, we're okay with piping the org trail via the subscription filter.
Take a look at the IAM role being used to deploy the control tower cloud formation stack for the cloudtrail
You may find the iam role may only have create trail and no access to delete/change the setting.
Be careful changing the trail setting in CF, it may delete the log group before creating a new one. I don’t know this off the top of my head without looking at the stack.
Relevant content
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 years ago
If you only need to modify this, I would be curious to see if there is any iam role attached to cloudformation, if so then take a look at it’s permissions for cloudtrail, log group and try adding broader set of permissions to let it pass the way you want, specifically delete permissions for cloudtrail and cloudwatch, as this parameter(ManagedResourcePrefix) value change, it would trigger the deletion of existing trail and once IAM role attached to CFN would have that permission, it should pass through fairly easily.
Keep me posted how it goes, I’ll try to replicate this at my end too if it doesn’t work for you.
PS: I'm adding this response to my answer for better community experience if this discussion gets referred in future.
If you have additional questions, please comment here, else please accept the answer for better community experience. Thank you.