By using AWS re:Post, you agree to the AWS re:Post Terms of Use

[CONTROL TOWER] Change CloudTrail Org trail Log Group name

1

Aim

Our organization had a functional requirement where the name of the CloudWatch Log Group for the Org trail needs to be in a certain format.

Justification

By creating duplicate Trails across the landing zone, we've analyzed that the cost is high, purely for this compliance (by creating individual account Trails in each of our workload accounts).

The Control Tower-configured Org trail is default and cannot be changed directly in the Control Tower's management account: aws-controltower/CloudTrailLogs:

CloudWatch logs

Steps taken to recreate this issue

WIthin the AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER CFN stack set, I've tried changing the ManagedResourcePrefix parameter:

StackSet Parameter

However, I'm presented with this error when changing the ManagedResourcePrefix parameter:

AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER

asked a year ago770 views
3 Answers
2

Hi,

Based on the requirements, it seems that you may not require AWS Control Tower to setup an organization trail, instead you may want to create your own with customization.

If that assumption is right, then you can opt out configuring cloudtrails in Control Tower and it won't create trail for you and later you can create one with all the custom names/formats etc. Here is how you can opt out Optionally configure AWS CloudTrail trails.

Interestingly, this document is briefing about your situation as well where it's mentioning that it may incur additional cost if you keep Org trail provisioned by control tower and create your custom ones too, which is obvious.

Edit: If you only need to modify this, I would be curious to see if there is any iam role attached to cloudformation, if so then take a look at it’s permissions for cloudtrail, log group and try adding broader set of permissions to let it pass the way you want, specifically delete permissions for cloudtrail and cloudwatch, as this parameter(ManagedResourcePrefix) value change, it would trigger the deletion of existing trail and once IAM role attached to CFN would have that permission, it should pass through fairly easily.

Throwing up some additional documents around Control Tower Customization and commissioning/decommissioning:

References:

Customize Landing Zone

Guidance for creating/modifying Control Tower Resources

Decommissioning an AWS Control Tower Landing Zone

profile pictureAWS
EXPERT
answered a year ago
profile picture
EXPERT
reviewed a year ago
profile picture
EXPERT
reviewed a year ago
0

Thanks for your response!

However, we still need the organizational trail for our managed services operations.

The customized log group naming convention were only for a selected few accounts to be piped over to external parties as a CloudWatch logs group subscription filter (if possible, in order only to cherry-pick logs from the workload accounts).

In the event that we change any CloudTrail settings, it might trigger a detected drift in Control Tower, which is intended and something we want to avoid.

Apart from the naming convention of the log group, we're okay with piping the org trail via the subscription filter.

answered a year ago
  • If you only need to modify this, I would be curious to see if there is any iam role attached to cloudformation, if so then take a look at it’s permissions for cloudtrail, log group and try adding broader set of permissions to let it pass the way you want, specifically delete permissions for cloudtrail and cloudwatch, as this parameter(ManagedResourcePrefix) value change, it would trigger the deletion of existing trail and once IAM role attached to CFN would have that permission, it should pass through fairly easily.

    Keep me posted how it goes, I’ll try to replicate this at my end too if it doesn’t work for you.

    PS: I'm adding this response to my answer for better community experience if this discussion gets referred in future.

  • If you have additional questions, please comment here, else please accept the answer for better community experience. Thank you.

0

Take a look at the IAM role being used to deploy the control tower cloud formation stack for the cloudtrail

You may find the iam role may only have create trail and no access to delete/change the setting.

Be careful changing the trail setting in CF, it may delete the log group before creating a new one. I don’t know this off the top of my head without looking at the stack.

profile picture
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions