README.md

AWS SRA cloudtrail Organization Solution with Terraform

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

---

⚠️Influence the future of the AWS Security Reference Architecture (AWS SRA) code library by taking a short survey.

Table of Contents

• Introduction
• Deployed Resource Details
• Implementation Instructions
• Requirements
• Providers
• Modules
• Resources
• Inputs
• Outputs

---

Introduction

This Terraform module deploys the CloudTrail Organization AWS SRA solution.

The common pre-requisite solution must be installed, in the management account, prior to installing this solution.

Information on the resources deployed as well as terraform requirements, providers, modules, resources, and inputs of this module are documented below.

Please navigate to the installing the AWS SRA Solutions section of the documentation for more information and installation instructions.

For the CloudFormation version of this AWS SRA solution as well as more information please navigate to the AWS SRA CloudTrail solution documentation page.

---

Deployed Resource Details

1.0 Organization Management Account

1.1 AWS Lambda Function

• See 1.2 AWS Lambda Function

1.2 Lambda Layer

• See 1.3 Lambda Layer

1.3 Lambda Execution IAM Role

• See 1.4 Lambda Execution IAM Role

1.4 Lambda CloudWatch Log Group

• See 1.5 Lambda CloudWatch Log Group

1.5 Organization CloudTrail

• See 1.6 Organization CloudTrail

1.6 Organization CloudTrail CloudWatch Log Group Role

• See 1.7 Organization CloudTrail CloudWatch Log Group Role

1.7 Organization CloudTrail CloudWatch Log Group

• See 1.8 Organization CloudTrail CloudWatch Log Group

---

2.0 Audit Account

2.1 Organization CloudTrail KMS Key

• See 2.2 Organization CloudTrail KMS Key

2.2 CloudTrail KMS Key Secret

• See 2.3 CloudTrail KMS Key Secret

2.3 CloudTrail (Delegated admin)

• See 2.4 CloudTrail (Delegated admin)

---

3.0 Security Log Archive Account

3.1 Organization CloudTrail S3 Bucket

• See 3.2 Organization CloudTrail S3 Bucket

3.2 CloudTrail S3 Bucket Secret

• See 3.3 CloudTrail S3 Bucket Secret

---

Implementation Instructions

Please navigate to the installing the AWS SRA Solutions section of the documentation for installation instructions.

---

Requirements

Name	Version
aws	>= 5.1.0

Providers

Name	Version
aws.main	>= 5.1.0

Modules

Name	Source	Version
cloudtrail_org	./org	n/a
kms	./kms	n/a
s3_bucket	./s3	n/a

Resources

Name	Type
aws_caller_identity.current	data source
aws_partition.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
audit_account_id	AWS Account ID of the Control Tower Audit account.	string	n/a	yes
enable_data_events_only	Only Enable Cloud Trail Data Events	string	n/a	yes
enable_lambda_data_events	Enable Cloud Trail Data Events for all Lambda functions	string	n/a	yes
enable_s3_data_events	Enable Cloud Trail S3 Data Events for all buckets	string	n/a	yes
home_region	Name of the Control Tower home region	string	n/a	yes
log_archive_account_id	AWS Account ID of the Control Tower Log Archive account.	string	n/a	yes
macie_org_configuration_role_name	Configuration IAM Role Name	string	"sra-macie-org-configuration"	no
macie_org_lambda_role_name	Lambda Role Name	string	"sra-macie-org-lambda"	no
management_account_id	Organization Management Account ID	string	n/a	yes
organization_id	AWS Organization ID	string	n/a	yes
secrets_key_alias_arn	(Optional) SRA Secrets Manager KMS Key Alias ARN	string	""	no

Outputs

No outputs.