Setup CloudTrail

AWS CloudTrail is a service that enables governance, compliance and provides auditing of an AWS account. Since Datacoral software is deployed in a customer's AWS account, CloudTrail can be setup in the account to get an audit record of all actions performed by Datacoral in the account. To set this up, follow the steps below.

Prepare S3 bucket for receiving CloudTrail logs

First, create a new bucket in which to save the S3 Access Logs. Ideally, this S3 Bucket will have been configured to not allow any deletes and should be in a separate AWS account. Next run the following command to update the bucket policy for this S3 bucket to receive CloudTrail events.

aws s3api put-bucket-policy \
  --bucket <cloudtrail-logs-bucket> \
  --policy file://cloudtrail_bucket_policy.json

Here the file cloudtrail_bucket_policy.json contains the following (you'll need to fill in the S3 bucket name and the account ID):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20150319",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::<cloudtrail-logs-bucket>"
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<cloudtrail-logs-bucket>/AWSLogs/<your-account-id>/*",
            "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
        }
    ]
}

Create the CloudTrail

Run the following command:

aws cloudtrail create-trail \
  --name datacoral-cloudtrail \
  --s3-bucket-name <cloudtrail-logs-bucket>

Prepare S3 bucket for receiving CloudTrail logs#

Create the CloudTrail#

Prepare S3 bucket for receiving CloudTrail logs

Create the CloudTrail