Exported on 25-Aug-2021 18:18:58
Parameters
1 - Download AWS CLI v2
Login as user {Host_Creds} on node {Hostname}
#get latest version of packages
sudo apt update -y
#install awscli package
sudo apt install awscli -y2 - Create AWS Credentials File
Login as user {Host_Creds} on node {Hostname}
#create hidden aws directory in our home dir
mkdir ~/.aws
#create credentials file to store our access and secret keys
touch ~/.aws/credentials
#set our credentials
echo "[default]" > ~/.aws/credentials
echo "aws_access_key_id={accesskey.value}" >> ~/.aws/credentials
echo "aws_secret_access_key={secretkey.value}" >> ~/.aws/credentials3 - Create AWS Config File
Login as user {Host_Creds} on node {Hostname}
#create config file to store our AWS CLI preferences
touch ~/.aws/config
echo "[default]" > ~/.aws/config
echo "region={awsregion.value}" >> ~/.aws/config
echo "output={awsoutputformat.value}" >> ~/.aws/config4.1 - Create Bucket Policy File
In order to securely configure the S3 bucket, we need to create a bucket policy. This policy configuration was pulled from https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html. We pass our bucket name and account ID inputs into the configuration.
Login as user {Host_Creds} on node {Hostname}
#create a file in the /tmp directory named bucket.json. This is where we will configure our S3 bucket policy
sudo touch /tmp/bucket.json
#pass everything from the 2nd line until the final EOF signal into the file we created. This is our bucket policy in JSON format
sudo cat <<EOF > /tmp/bucket.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::{cloudtrailbucketname.value}"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{cloudtrailbucketname.value}/AWSLogs/{awsaccountid.value}/*",
"Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
}
]
}
EOF4.2 - Create S3 Bucket for Cloudtrail
Now that we have determined our bucket policy, we need to create our bucket. This bucket is where Cloudtrail is going to store all of its audit logs. We pass our preferred region and bucket name inputs into the command to name the bucket and choose where it will be located.
Login as user {Host_Creds} on node {Hostname}
aws s3api create-bucket --bucket {cloudtrailbucketname.value} --region {awsregion.value}4.3 - Apply Policy to Bucket
We have created the bucket as well as the bucket policy file, now we need to apply the policy to the bucket to secure it and grant Cloudtrail access to write to it. We use the s3api command to do this. and pass in the bucket name as well as the json file we created to apply the policy.
Login as user {Host_Creds} on node {Hostname}
aws s3api put-bucket-policy --bucket {cloudtrailbucketname.value} --policy file:///tmp/bucket.json4.4 - Create Cloudtrail
The second to last step is creating the actual Trail itself. This is the configuration that tells AWS to log all audit data to our S3 bucket. This is necessary to maintain a full audit trail of everything that happens in our AWS account. We pass in our cloudtrailname and cloudtrailbucketname inputs, and the --is-multi-region-trail switch tells AWS that we want to audit activity in all regions of our AWS account.
Login as user {Host_Creds} on node {Hostname}
aws cloudtrail create-trail --name {cloudtrailname.value} --s3-bucket-name {cloudtrailbucketname.value} --is-multi-region-trail4.5 - Enable Cloudtrail Logging
Our final step enables logging for Cloudtrail. Although we configured everything, this step is necessary to turn the audit logging on.
Login as user {Host_Creds} on node {Hostname}
aws cloudtrail start-logging --name {cloudtrailname.value}
Using Attune to install and configure the AWS Cloudtrail
This blueprint configures Cloudtrail for AWS using bash. It has been tested successfully on Ubuntu, using on any other platform would just require a change in the package manager in the AWS CLI install step. Cloudtrail is used to audit all activity and changes made within your AWS account.
Pre-Blueprint Attune setup
Inputs needed:
/: Host to run scripts on as well as credentials to connect * Text inputs for AWS Account ID (AWSAccountID), AWS Access Key (AccessKey), Access Secret Key (SecretKey), Output format (AWSOutputFormat), S3 bucket name (CloudtrailBucketName) and CloudTrail name (CloudtrailName)
Blueprint Steps
/: 1. First we use Ubuntu's native package manager to install the AWS CLI. This is a library of commands that can be used to interact with your AWS account. 2. The AWS CLI references an AWS credentials file in the home directory of the user running the commands. We use our access key and secret key inputs to pass these into that file. The CLI tools then use these credentials to authenticate to your AWS account. 3. Similar to the credentials file, the commands also look at an AWS config file to determine which region to default to, what output to use when running commands etc. We pass the region and output format inputs into this file. 4. Next, we have a group step that does all of the configuration for the AWS resources. See the comments in each step for more details. /