enable-cloudtrail - Githubissues

18F / Sendak

[DEPRECATED] Sendak integrates user, project, and deployment management for 18F

Other

10 stars 4 forks source link

enable-cloudtrail #109

Open NoahKunin opened 9 years ago

NoahKunin commented 9 years ago

These would be for the three US regions located in the CONUS.

janearc commented 9 years ago

Can you describe what this command looks like in your head? Like,

% sendak enable-cloudtrail --region us-east-1

or?

NoahKunin commented 9 years ago

Yep, but it would be preferable if the user didn't have to specify the regions, and just issues a single command to activate CloudTrail in the entirety of the CONUS.

And now that I've slept on it, it might be wise just to turn on CloudTrail globally. It's just as important to verify services are not being launched outside the CONUS as well.

janearc commented 9 years ago

Task to enable cloudtrail for all regions under a provided account. The hook is CreateTrail.

arguments

s3 bucket name

produces

transaction id that was sent to amazon (received?)

syntax

sendak enable-cloudtrail --bucket-name ct-logs

janearc commented 9 years ago

note: requires a non-18F account

janearc commented 9 years ago

Update: it looks like there isn't anything "region-specific" in the API re cloudtrail. You turn it on, you point it at a bucket. Since the s3 namespace is flat, does this mean that cloudtrail just references the account you are calling it from and doesn't care about regions?

NoahKunin commented 9 years ago

No, it very much does care about regions. There's no request syntax for region in CreateTrail, since you're submitting this request to a specific CloudTrail endpoint, that is itself region based.

As an aside, they do allow you to aggregate logs into a single S3 bucket, which is probably ideal: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/aggregating_logs_top_level.html

janearc commented 9 years ago

The problem is when you "connect" to Amazon, the credentials you provide include something like { region: 'us-east-1' } so through the API, calls to AWS.CloudTrail.methodName() don't actually accept a region as argument. The two options are to:

Just enable cloudtrail for the region you're connected to
Run something like:

AWS.EC2.describeRegions().forEach( function (reg) {
  var region_aws = new AWS( { region: reg } );
  var ct = region_aws.CloudTrail();
  ct.createTrail( /* the name of the 'single bucket' for S3 goes here */ );
} );

The problem is this is action-at-a-distance, kind of; it's breaking encapsulation by reaching up and outside of the region you are already working in and implicitly operating in that space.