Enable CloudTrail Event Logging for S3 Buckets and Objects
You must enable CloudTrail event logging to provide you with a record of activities in your AWS account. You need enable this feature only once for your account; you need not do it for each AWS tenant you authorize.
- In the AWS console, navigate to CloudTrail and choose Create Trail.
- Provide a meaningful Trail name for your trail.
- Under Events, choose Data Events to log data events.
- For Storage location, choose Use existing S3 bucket, and choose Browse to choose an S3 bucket in your account.
- You may optionally choose to enable Log file SSE KMS encryption for your log files. (If you choose this option, see Step 11.)
- On theChoose log events page, choose Data events.
- For Data event source choose S3.
- You can choose from:
-
Log all current and future S3 buckets (This is the default.)
Choose to log Write events.
-
Individual bucket selection (This can be a more economical choice.)
Browse for existing buckets and click Add bucket to log data events for each. Choose to log Write events.
-
- For the remaining options in the CloudTrail creation wizard, choose the settings appropriate to your environment.
- On the Review and Create page, review your choices and Edit if necessary. Then click Create Trail.
- If in Step 5 you chose to enable Log file SSE KMS encryption for your log files, grant permission for the encryption key to the role CiscoSecureAccessScanner. In the AWS console, under Key Management Service (KMS) > Customer managed keys > Key ID > Edit key policy, add a statement to grant permission for the role CiscoSecureAccessScanner.
- If your S3 buckets have restrictive policies associated with them, add statements to those policies to grant the role CiscoSecureAccessScanner access to those buckets. In the AWS console, see Amazon S3 > Buckets > Bucket Name > Permissions > Bucket Policy.
