Sending Cloudtrail Logs to Acante Log Processor

2: Deploy the Acante Components

Run the provided Terraform on the Configurations page of the Acante UI to enable Cloudtrail log collection for S3. Update the inputs in the dev.tfvars

• Set the Cloudtrail flag to True

enable-cloudtrail-logs-processing=true

• If the Acante deployment will create a new Management Trail, then no other inputs are required. The parameter block below should be left commented out.
• If using an existing trail, then the block below should be uncommented and the trail parameters should be specified:

cloudtrail-mgmt-events-trail-config {
    trail-name = ""   // Use the trail name, not ARN
    bucket-name = ""   // Use the bucket name, NOT ARN e.g. "acme-cloudtrail-bucket"
    mgmt-events-key-prefix = ""    // Check the config of your trail for Prefix. If it is empty add the first prefix in the trail ARN without any slash e.g. "AWSLogs"
    data-events-key-prefix = ""  // Set value as "Acante-CloudTrail-Data-Events" or another prefix of your choice
    kms-key-alias = ""  // Use the key alias, not ARN
    sns-topic-arn = "" // Add complete Topic ARN if using existing topic. Leave empty if there is no existing ARN
}

• Plan and apply the Terraform

3: When No Existing Management Trail

No further configurations are required. The Terraform process will create and configure the Cloudtrail S3 Bucket, the KMS key and its policy, and give the Acante lambda permissions to create the necessary Trails.

4: When Using an Existing Management Trail

When using an existing management trail, updates are required to AWS configurations to complete the process.

• SNS Topic ARN
• Ownership Configuration for the Cloudtrail S3 Bucket
• Bucket Policy for the Cloudtrail S3 Bucket
• KMS Key Policy for Cloudtrail

4.1 SNS Topic ARN

If the Management Trail already has an SNS Topic ARN, provide the topic ARN in the trail parameters section of the dev.tfvars input file for Terraform:

cloudtrail-mgmt-events-trail-config {
...
sns-topic-arn = ""
}

Update the existing SNS Topic by creating a subscription for the Acante Queue ARN created as the output of the Terraform process.

cloudtrail-log-processor-lambda-message-queue-arn

This will put the status of the Topic in a “pending state”. Use the “publish message” button on the console to push a test message to the Topic. Acante will provide you with the Subscribe URL - visit the URL on the browser to confirm the subscription and complete the handshake. At this point, the status of the Topic should read Confirmed.

• If there is no existing SNS Topic ARN, uncomment and leave the field sns-topic-arn = "" empty. In this case, Terraform deployment process produces the SNS Topic as an output variable called:

acante-cloudtrail-data-events-sns-topic-name

Add this Topic to the Management Trail in the AWS console.

4.2 Cloudtrail S3 Bucket Configuration

Ensure that the destination Cloudtrail S3 Bucket ownership control is set to Enforced in the S3 bucket dashboard. If the bucket is in Preferred state it will create access issues.

4.3 Updating Bucket Policy for the CloudTrail S3 Bucket

The Bucket Policy for for the Cloudtrail S3 Bucket should allow the Acante Lambda access to the Bucket for 2 purposes:

• The Data Events trail created by the Terraform requires Upload File Objects permissions to this Bucket
• The Acante Lambda created by the Terraform requires Download Objects permissions from the Bucket to get Management and Data Events objects

A sample policy is provided below for this. Please update the variable names with actual values based on your setup.
<bucket-name> : // Target Cloudtrail S3 Bucket
<region>: // Primary region of operation defined in the dev.tfvars
<accountID>: // Where the management trail is defined & where Acante Cloudtrail Lambda service is deployed

Sample policy is provided below to configure the Data Events Trail

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20150319",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::<bucket-name>",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:cloudtrail:<region>:<accountID>:trail/acante-cloudtrail-data-events"
                }
            }
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<bucket-name>/Acante-Cloudtrail-Data-Events/AWSLogs/<accountID>/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceArn": "arn:aws:cloudtrail:<region>:<accountID>:trail/acante-cloudtrail-data-events"
                }
            }
        }
    ]
}

Sample policy to provide 'Download Objects' permissions to the Acante Lambda for the Data Events Trail

The Terraform process output an ARN

<acante-cloudtrail-log-processor-execution-role-arn>

The <data-events-prefix> and <mgmt-events-prefix> are defined in the dev.tfvars input file.

"Statement": [
{
            "Sid": “AllowCloudtrailLogProcessorLambdaAccessGetObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "<acante-cloudtrail-log-processor-execution-role-arn>"  
            },
            "Action": [
                "s3:GetObject",
            ],
            "Resource": [
"arn:aws:s3:::<bucket-name>/<data-events-prefix>/*",
“arn:aws:s3:::<bucket-name>/<mgmt-events-prefix>/*”
]
   },
{
            "Sid": "AllowCloudtrailLogProcessorLambdaAccessGetBucketAcl",
            "Effect": "Allow",
          "Principal": {
                "AWS": "<acante-cloudtrail-log-processor-execution-role-arn>"  
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::<bucket-name>",
   }

]

4.4 KMS Key Permissions Policy Sample for Acante Data Events Trail

This configuration is required only if the Management Trail is enabled for KMS. There are two sections which need to be considered here:

• Section 1 updates the policy of key <key_ID>: it grants GenerateDataKey permission to the Cloudtrail service to generate a data encryption key, use it to encrypt and store data events logs into the S3 bucket
• The second section grants decrypt permissions for the Acante Lambda Log Processor module to decrypt the log files delivered by Cloudtrail, using this key <key_ID>.

Section 1

{
  "Sid": "Allow CloudTrail to encrypt logs",
  "Effect": "Allow",
  "Principal": {
       "Service": "cloudtrail.amazonaws.com"
  },
  "Action": "kms:GenerateDataKey*",
  "Resource": "arn:aws:kms:<region>:<accountID>:key/<key_ID>",
  "Condition": {
    "StringLike": {
      "kms:EncryptionContext:aws:cloudtrail:arn": [
         "arn:aws:cloudtrail:*:<accountID>:trail/*"
      ]
    },
    "StringEquals": {
        "aws:SourceArn": "arn:aws:cloudtrail:<region>:<accountID>:trail/acante-cloudtrail-data-events"
    }
  }
},

{
      "Sid": "Allow CloudTrail to decrypt a trail",
      "Effect": "Allow",
      "Principal": {
          "Service": "cloudtrail.amazonaws.com"
        },
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:<region>:<accountID>:key/<key_ID>"
},

{
            "Sid": "Allow CloudTrail to describe key",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudtrail.amazonaws.com"
            },
            "Action": "kms:DescribeKey",
            "Resource": "arn:aws:kms:<region>:<accountID>:key/<key_ID>"
}

Section 2

{
"Sid": "Enable CloudTrail log decrypt permissions",
"Effect": "Allow",
"Principal": {
     "AWS": "<acante-cloudtrail-log-processor-execution-role-arn>"  
},
"Action": "kms:Decrypt",
"Resource":"arn:aws:kms:<region>:<accountID>:key/<key_ID>",
"Condition": {
"Null": {
     "kms:EncryptionContext:aws:cloudtrail:arn": "false"
}
}
}