[CONTROL TOWER] Change CloudTrail Org trail Log Group name

1

Aim

Our organization had a functional requirement where the name of the CloudWatch Log Group for the Org trail needs to be in a certain format.

Justification

By creating duplicate Trails across the landing zone, we've analyzed that the cost is high, purely for this compliance (by creating individual account Trails in each of our workload accounts).

The Control Tower-configured Org trail is default and cannot be changed directly in the Control Tower's management account: aws-controltower/CloudTrailLogs:

CloudWatch logs

Steps taken to recreate this issue

WIthin the AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER CFN stack set, I've tried changing the ManagedResourcePrefix parameter:

StackSet Parameter

However, I'm presented with this error when changing the ManagedResourcePrefix parameter:

AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER

Alex
已提问 1 年前510 查看次数
3 回答
2

Hi,

Based on the requirements, it seems that you may not require AWS Control Tower to setup an organization trail, instead you may want to create your own with customization.

If that assumption is right, then you can opt out configuring cloudtrails in Control Tower and it won't create trail for you and later you can create one with all the custom names/formats etc. Here is how you can opt out Optionally configure AWS CloudTrail trails.

Interestingly, this document is briefing about your situation as well where it's mentioning that it may incur additional cost if you keep Org trail provisioned by control tower and create your custom ones too, which is obvious.

Edit: If you only need to modify this, I would be curious to see if there is any iam role attached to cloudformation, if so then take a look at it’s permissions for cloudtrail, log group and try adding broader set of permissions to let it pass the way you want, specifically delete permissions for cloudtrail and cloudwatch, as this parameter(ManagedResourcePrefix) value change, it would trigger the deletion of existing trail and once IAM role attached to CFN would have that permission, it should pass through fairly easily.

Throwing up some additional documents around Control Tower Customization and commissioning/decommissioning:

References:

Customize Landing Zone

Guidance for creating/modifying Control Tower Resources

Decommissioning an AWS Control Tower Landing Zone

profile pictureAWS
专家
已回答 1 年前
profile picture
专家
已审核 1 年前
profile picture
专家
已审核 1 年前
0

Thanks for your response!

However, we still need the organizational trail for our managed services operations.

The customized log group naming convention were only for a selected few accounts to be piped over to external parties as a CloudWatch logs group subscription filter (if possible, in order only to cherry-pick logs from the workload accounts).

In the event that we change any CloudTrail settings, it might trigger a detected drift in Control Tower, which is intended and something we want to avoid.

Apart from the naming convention of the log group, we're okay with piping the org trail via the subscription filter.

Alex
已回答 1 年前
  • If you only need to modify this, I would be curious to see if there is any iam role attached to cloudformation, if so then take a look at it’s permissions for cloudtrail, log group and try adding broader set of permissions to let it pass the way you want, specifically delete permissions for cloudtrail and cloudwatch, as this parameter(ManagedResourcePrefix) value change, it would trigger the deletion of existing trail and once IAM role attached to CFN would have that permission, it should pass through fairly easily.

    Keep me posted how it goes, I’ll try to replicate this at my end too if it doesn’t work for you.

    PS: I'm adding this response to my answer for better community experience if this discussion gets referred in future.

  • If you have additional questions, please comment here, else please accept the answer for better community experience. Thank you.

0

Take a look at the IAM role being used to deploy the control tower cloud formation stack for the cloudtrail

You may find the iam role may only have create trail and no access to delete/change the setting.

Be careful changing the trail setting in CF, it may delete the log group before creating a new one. I don’t know this off the top of my head without looking at the stack.

profile picture
专家
已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容