Terraform module for configuring AWS to integrate with Expel Workbench.
Configures a CloudTrail stack (CloudTrail & S3 bucket) with a notification queue that Expel Workbench consumes. Cloudtrail, S3 bucket, SQS and SNS (optionally for existing Cloudtrail) queue are encrypted by default using a custom managed KMS key.
module "expel_aws_cloudtrail" {
source = "expel-io/cloudtrail/aws"
version = "1.3.0"
expel_customer_organization_guid = "Replace with your organization GUID from Expel Workbench"
region = "AWS region in which notification queue for CloudTrail will be created"
}
Once you have configured your AWS environment, go to https://workbench.expel.io/settings/security-devices?setupIntegration=aws and create an AWS CloudTrail security device to enable Expel to begin monitoring your AWS environment.
The permissions allocated by this module allow Expel Workbench to perform investigations and get a broad understanding of your AWS footprint.
- Creating a new AWS CloudTrail for an AWS organization (default)
- Creating a new AWS CloudTrail for a single AWS account (Set enable_organization_trail input to false)
- Reusing an existing AWS Cloudtrail for a single AWS account or an AWS organization with all the existing resources deployed in the same account (Set existing_cloudtrail_bucket_name input to the name of the existing log bucket)
- This module only supports integrating with Expel when all the necessary resources are deployed in the same account.
- This module does not support integrating with Expel when all the necessary resources are deployed across multiple aws accounts.
Ex. ControlTower Environments are not supported via this module. To integrate an AWS ControlTower environment with Expel refer to this guide in order to do so.
Please contact your Engagement Manager if you have an existing CloudTrail with a different configuration.
Name | Version |
---|---|
terraform | >= 1.1.0 |
aws | >= 4.0.0 |
random | >= 3.1.3 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
expel_customer_organization_guid | Expel customer's organization GUID assigned to you by Expel. You can find it in your browser URL after navigating to Settings > My Organization in Workbench. | string |
n/a | yes |
enable_access_logging_bucket_encryption | Enable to encrypt objects in the access logging bucket. | bool |
true |
no |
enable_bucket_access_logging | Access logging provides detailed records for the requests that are made to an Amazon S3 bucket. | bool |
true |
no |
enable_bucket_encryption_key_rotation | If enable_s3_encryption is set to true, enabling key rotation will rotate the KMS keys used for S3 bucket encryption. |
bool |
true |
no |
enable_bucket_versioning | Enable to protect against accidental/malicious removal or modification of S3 objects. | bool |
true |
no |
enable_cloudtrail_log_file_validation | Validates that a log file was not modified, deleted, or unchanged after CloudTrail delivered it. | bool |
true |
no |
enable_organization_trail | For customers with AWS organizations setup, log events for the management account and all member accounts, and permeate IAM policies in all member accounts for Expel to get basic read permissions of resources in order to investigate alerts. Set to false if you want to onboard a single AWS account | bool |
true |
no |
enable_sqs_encryption | Enable server-side encryption (SSE) of message content with SQS-owned encryption keys. | bool |
true |
no |
existing_cloudtrail_bucket_name | The name of the existing bucket connected to the existing CloudTrail | string |
null |
no |
existing_cloudtrail_kms_key_arn | The ARN of the KMS key used to encrypt existing CloudTrail bucket | string |
null |
no |
existing_sns_topic_arn | The ARN of the existing SNS Topic configured to be notified by the existing CloudTrail bucket. The S3 bucket notification configuration must have the s3:ObjectCreated:* event type checked. | string |
null |
no |
expel_assume_role_session_name | The session name Expel will use when authenticating. | string |
"ExpelCloudTrailServiceSession" |
no |
expel_aws_account_arn | Expel's AWS Account ARN to allow assuming role to gain CloudTrail access. | string |
"arn:aws:iam::012205512454:user/ExpelCloudService" |
no |
expel_customer_aws_account_id | Account id of customer's AWS account that will be monitored by Expel if it is different than the one terraform is using. This should be the management account id if organization trail is enabled. | string |
null |
no |
prefix | A prefix to group all Expel integration resources. | string |
"expel-aws-cloudtrail" |
no |
queue_message_retention_days | The visibility timeout for the queue. See: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html | number |
7 |
no |
stackset_fault_tolerance_count | The number of accounts, per Region, for which stackset deployment operation can fail before AWS CloudFormation stops the operation in that Region. | number |
null |
no |
tags | A set of tags to group resources. | map |
{} |
no |
Name | Description |
---|---|
aws_region | The AWS Region where the CloudTrail resources exist |
role_arn | IAM Role ARN of the role for Expel to assume to access CloudTrail data |
role_session_name | The session name Expel will use when authenticating |
sqs_queue_url | URL of the queue consuming from the S3 bucket |