How to ingest cross-account CloudTrail logs from S3 without deploying member account stack

[owenCCY]

Background: Customers do not want to deploy member account stack because it's their production account. They are aware of the Fluent Bit agent documentations and other cross-account roles that created by the member-account stack, which they do not need in CloudTrail ingestions.

[owenCCY]

Step1: Create log source account assume role manually in your member-account

Below is the details for this role. Please substitute the MAIN-ACCOUNT-ID with your main account ID and MEMBER-ACCOUNT-S3-BUCKET-NAME with your member account S3 bucket name before role creation.

Note: By main account, this is the account where your CLO solution is deployed. By member account, this is the account where your log is stored.

Trusted entity policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::MAIN-ACCOUNT-ID:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Policies

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutBucketNotification",
                "sts:AssumeRole",
                "s3:PutBucketLogging",
                "s3:GetBucketLogging",
                "s3:PutBucketPolicy",
                "s3:ListBucket",
                "s3:GetBucketNotification",
                "s3:DeleteBucketPolicy",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::MEMBER-ACCOUNT-S3-BUCKET-NAME",
                "arn:aws:s3:::MEMBER-ACCOUNT-S3-BUCKET-NAME/*",
                "arn:aws:iam::MAIN-ACCOUNT-ID:role/*buffer-access*",
                "arn:aws:iam::MAIN-ACCOUNT-ID:role/*BufferAccessRole*"
            ]
        }
    ]
}

Please copy and save this manually created role ARN, we will use it as a parameter during the pipeline stack deployment step.

[owenCCY]

Step2: Deploy the CloudTrail pipeline stack in your main account

1. You can jump to the implementation guide through here.

2. Select the correct template and click the template link.

3. Fill in the CloudFormation template parameters.

Please pay attention to the following parameters:

1. Log Bucket Name: Please fill in the member-account S3 bucket name.
2. Log Source Account ID: Please fill in the member-account ID.
3. Log Source Account Assume Role: Please fill in the role which we manually created in member-account.
4. KMS-CMK ARN: Please search AWS::KMS::Key in the Cloudformation Resource tab：
5. S3 Backup Bucket: Please search DefaultLoggingBucket in the Cloudformation Resource tab.
6. VPC ID: Please search DefaultVpcId in the Cloudformation Resource tab.
7. Subnet IDs: Please search PrivateSubnets in the Cloudformation Resource tab.
8. Security Group ID: Please search ProcessSecurityGroupId in the Cloudformation Resource tab.

[owenCCY]

Example of CloudFormation template input