CloudTrail is not integrated with CloudWatch

aws_cloudtrail_cloudwatch_integration

Severity

low

Vendor

AWS

Resource

Logging

Description

CloudTrail is not integrated with CloudWatch. This enables you to respond on critical events captured with Amazon CloudTrail and detected by CloudWatch logs.

To fix it you must configure cloudwatch_logs_log_group_arn and cloudwatch_logs_role_arn properties.

Learn more about this topic at AWS Sending events to CloudWatch logs.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create
      amazon.aws.cloudtrail:
        state: present
        name: default
        s3_bucket_name: mylogbucket
        region: us-east-1
        is_multi_region_trail: true
        enable_log_file_validation: true
        kms_key_id: "alias/MyAliasName"
        tags:
          environment: dev
          Name: default

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create
      amazon.aws.cloudtrail:
        state: present
        name: default
        s3_bucket_name: mylogbucket
        region: us-east-1
        is_multi_region_trail: true
        enable_log_file_validation: true
        cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role"
        cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*"
        kms_key_id: "alias/MyAliasName"
        tags:
          environment: dev
          Name: default