Open NoahKunin opened 9 years ago
Can you describe what this command looks like in your head? Like,
% sendak enable-cloudtrail --region us-east-1
or?
Yep, but it would be preferable if the user didn't have to specify the regions, and just issues a single command to activate CloudTrail in the entirety of the CONUS.
And now that I've slept on it, it might be wise just to turn on CloudTrail globally. It's just as important to verify services are not being launched outside the CONUS as well.
Task to enable cloudtrail for all regions under a provided account. The hook is CreateTrail
.
sendak enable-cloudtrail --bucket-name ct-logs
note: requires a non-18F account
Update: it looks like there isn't anything "region-specific" in the API re cloudtrail. You turn it on, you point it at a bucket. Since the s3 namespace is flat, does this mean that cloudtrail just references the account you are calling it from and doesn't care about regions?
No, it very much does care about regions. There's no request syntax for region in CreateTrail
, since you're submitting this request to a specific CloudTrail endpoint, that is itself region based.
As an aside, they do allow you to aggregate logs into a single S3 bucket, which is probably ideal: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/aggregating_logs_top_level.html
The problem is when you "connect" to Amazon, the credentials you provide include something like { region: 'us-east-1' }
so through the API, calls to AWS.CloudTrail.methodName()
don't actually accept a region as argument. The two options are to:
AWS.EC2.describeRegions().forEach( function (reg) {
var region_aws = new AWS( { region: reg } );
var ct = region_aws.CloudTrail();
ct.createTrail( /* the name of the 'single bucket' for S3 goes here */ );
} );
The problem is this is action-at-a-distance, kind of; it's breaking encapsulation by reaching up and outside of the region you are already working in and implicitly operating in that space.
These would be for the three US regions located in the CONUS.