Comments (5)
benbridts
commented on September 24, 2024
1
Managing CloudTrail outside of adf might be the preferred option for most users.
- If they're using Control Tower or Landing Zone it will already manage it for them
- Tying CloudTrail to a deployment tool might lead to deleting the Trail if they decide to stop using this framework. By that time changes are that they are using those logs for other things too.
- the ADF will create the trail in the us-east-1 region. Compliance requirements might make that not an option for everyone.
Creating it with the adf is still a better getting started experience, but in my opinion the docs should recommend managing it separately.
from aws-deployment-framework.
bundyfx
commented on September 24, 2024
This also opens up the chicken egg question here in that we want to send those CloudTrail logs to a logging account (ideally) and that we should actually either create the logging account as a first step in the complete ADF setup and have that bootstrap first or retro actively update the CloudTrail that is created in the master account initially to point to the logging account after the logging account and logging bucket has been created and bootstrapped with its Bucket/ES cluster etc.
from aws-deployment-framework.
thomasmcgannon
commented on September 24, 2024
I think it is a good idea to be prescriptive about creating a logging account and the bucket, however it's important that the bucket can then be either changed or customized after the fact. For example there may be a need to change encryption keys, or modify lifecycle policies.
Of course there should also be an option to provide an existing S3 bucket.
In both cases, the bucket URI could be stored as an SSM param in the deployment account so that other services deployed down the track such as Config can leverage the existing bucket, if desired.
I would expect a logging bucket to have at least:
- Encryption with a KMS key
- Lifecycle policy
- Object Lock enabled
- Public Access Block enabled
from aws-deployment-framework.
17paud-irdnz
commented on September 24, 2024
I would have thought that the AWS Organisation was where CloudTrail should be managed from now on. Not Control Tower, Not Landing Zone, Not ADF. It is baked into the Org now as a feature now. https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-ct.html
from aws-deployment-framework.
sbkok
commented on September 24, 2024
It is, AWS Organizations and setting up a Organization Trail is the way to go.
Closing this issue as this is out of scope for ADF.
from aws-deployment-framework.
Related Issues (20)
- AWS CodeBuild error: 'list' object has no attribute 'get'
- [Bug]: generate_params script type errors are not clear what's the issue
- [Bug]: <Error during ADF deployment cfn_custom_resource> HOT 4
- [Chore]: Upgrade GitHub CodeQL Action v2 to v3 HOT 1
- [Feat]: enable pylint on samples dir and optionally on test files
- ADF new version release HOT 4
- [Feat]: deploy multiple SCPs to a single OU or account HOT 6
- is it possibile to create another aws account using ADF HOT 2
- [Bug]: Account creation is broken since the release of lambda runtime 3.9v51 HOT 2
- [Feat]: Alerting for when AccountFileProcessorFunction fails
- StateMachine PipelineDeletionStateMachine is in failed HOT 1
- adf-bootstrap code pipeline fails in management account HOT 1
- [Bug]: installation through Makefile fails because of missing 'packaging' dependency HOT 3
- [Bug]: Terraform pipeline get accounts script error
- [Bug]: Terraform pipeline unable to upload the tf statefile
- [Bug]: Issue installing adf in new account HOT 2
- [Docs]: Document Discontinued Access to CodeCommit for New Customers and Migration Path HOT 1
- [Bug]: URGENT | ADF v4.0.0 update failed in Production HOT 5
- [Bug]: adf-account-bootstrapping SFN fails because of throtteling HOT 1
- [Docs]: Cloud9 is no longer available in newly created accounts
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-deployment-framework.