tessl/npm-pulumi--aws

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.

—

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview

Eval results

Files

CloudTrail - API Auditing

Name: tessl/npm-pulumi--aws
Author: tessl

AWS CloudTrail records AWS API calls for account activity logging and compliance.

Common Tasks

import * as aws from "@pulumi/aws";

// Create a basic trail for all regions
const trail = new aws.cloudtrail.Trail("audit-trail", {
    s3BucketName: auditBucket.id,
    isMultiRegionTrail: true,
    enableLogFileValidation: true,
});

// Create an organization trail with CloudWatch integration
const orgTrail = new aws.cloudtrail.Trail("org-trail", {
    s3BucketName: auditBucket.id,
    isOrganizationTrail: true,
    cloudWatchLogsGroupArn: trailLogGroup.arn,
    cloudWatchLogsRoleArn: trailRole.arn,
    enableLogFileValidation: true,
});

Core Resources

Trail

Trails record AWS API activity across your account or organization.

class Trail extends pulumi.CustomResource {
    constructor(name: string, args: TrailArgs, opts?: pulumi.CustomResourceOptions);

    readonly arn: pulumi.Output<string>;
    readonly homeRegion: pulumi.Output<string>;
}

interface TrailArgs {
    s3BucketName: pulumi.Input<string>;
    s3KeyPrefix?: pulumi.Input<string>;
    cloudWatchLogsGroupArn?: pulumi.Input<string>;
    cloudWatchLogsRoleArn?: pulumi.Input<string>;
    enableLogFileValidation?: pulumi.Input<boolean>;
    includeGlobalServiceEvents?: pulumi.Input<boolean>;
    isMultiRegionTrail?: pulumi.Input<boolean>;
    isOrganizationTrail?: pulumi.Input<boolean>;
    kmsKeyId?: pulumi.Input<string>;
    tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}

Example - Create a trail with encryption and validation

const auditBucket = new aws.s3.Bucket("cloudtrail-logs", {
    forceDestroy: false,
    versioning: {
        enabled: true,
    },
});

const trailKey = new aws.kms.Key("trail-key", {
    description: "CloudTrail log encryption",
    enableKeyRotation: true,
});

const trail = new aws.cloudtrail.Trail("security-audit", {
    s3BucketName: auditBucket.id,
    s3KeyPrefix: "cloudtrail",
    enableLogFileValidation: true,
    includeGlobalServiceEvents: true,
    isMultiRegionTrail: true,
    kmsKeyId: trailKey.id,
    tags: {
        Environment: "production",
        Compliance: "required",
    },
});

Example - Trail with CloudWatch Logs integration

const trailLogGroup = new aws.cloudwatch.LogGroup("cloudtrail-logs", {
    retentionInDays: 90,
});

const trailRole = new aws.iam.Role("cloudtrail-role", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: "sts:AssumeRole",
            Principal: {
                Service: "cloudtrail.amazonaws.com",
            },
            Effect: "Allow",
        }],
    }),
});

new aws.iam.RolePolicy("cloudtrail-logs-policy", {
    role: trailRole.id,
    policy: pulumi.all([trailLogGroup.arn]).apply(([logGroupArn]) =>
        JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Action: ["logs:CreateLogStream", "logs:PutLogEvents"],
                Resource: `${logGroupArn}:*`,
            }],
        })
    ),
});

const trail = new aws.cloudtrail.Trail("monitored-trail", {
    s3BucketName: auditBucket.id,
    cloudWatchLogsGroupArn: trailLogGroup.arn,
    cloudWatchLogsRoleArn: trailRole.arn,
    isMultiRegionTrail: true,
    enableLogFileValidation: true,
});

EventDataStore

CloudTrail Lake event data stores for advanced querying.

class EventDataStore extends pulumi.CustomResource {
    constructor(name: string, args?: EventDataStoreArgs, opts?: pulumi.CustomResourceOptions);

    readonly arn: pulumi.Output<string>;
}

interface EventDataStoreArgs {
    name?: pulumi.Input<string>;
    retentionPeriod?: pulumi.Input<number>;
    multiRegionEnabled?: pulumi.Input<boolean>;
    organizationEnabled?: pulumi.Input<boolean>;
    advancedEventSelectors?: pulumi.Input<pulumi.Input<EventDataStoreAdvancedEventSelector>[]>;
    kmsKeyId?: pulumi.Input<string>;
    tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}

Additional Resources

OrganizationDelegatedAdminAccount - Delegate CloudTrail admin to member accounts
getServiceAccount - Get CloudTrail service account for S3 bucket policies

Related Services

S3 - CloudTrail log storage
CloudWatch - Real-time log monitoring
KMS - Log encryption
Config - Resource configuration tracking

Install with Tessl CLI

npx tessl i tessl/npm-pulumi--aws@7.16.0

docs

analytics

compute

core

database

guides

migration

monitoring

networking

reference

security

storage

tessl/npm-pulumi--aws

cloudtrail.md.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}docs/services/

CloudTrail - API Auditing

Common Tasks

Core Resources

Trail

EventDataStore

Additional Resources

Related Services

cloudtrail.mddocs/services/