Member-only story
CloudTrail Monitoring with CloudWatch
Setup with Terragrunt and Terraform
While studying AWS, I challenged myself to build the following CloudTrail monitoring with Terraform.
Basically, we create a trail tracking the management events and forward it to CloudWatch, from which we create metrics based on some security-related events, such as user creation and deletion, and security group activities, then create CloudWatch alarms with some simple threshold, and forward the alarm to SNS, and notify the user through email.
Toolings and directory structure
As we will create the base AWS resources, then test with different resource creation/deletion in the second step, I use the Terraform wrapper — Terragrunt to achieve this.
The directory structure is something like below,
.
├── cloudtrail-n-cloudwatch
│ ├── cloudwatch.tf
│ ├── provider.tf
│ ├── role.tf
│ ├── s3.tf
│ ├── sns.tf
│ ├── terraform.tfstate
│ ├── terraform.tfstate.backup
│ ├── terragrunt.hcl
│ └── trail.tf
├── security-groups
│ ├── provider.tf
│ ├── sg.tf
│ ├── terraform.tfstate
│ └── terragrunt.hcl
├── terragrunt.hcl
└── users
├── iam-user.tf
├── provider.tf
├── terraform.tfstate
├── terraform.tfstate.backup
└── terragrunt.hclThe cloudtrail-n-cloudwatch is where the audit trail flow is set up. The users and security-groups are for the testing purpose in step two.
The root terrragrunt.hcl is listed as below,
inputs = {
access_key = "Key"
secret_key = "Secret" region = "us-east-1"
}generate "provider" {
path = "provider.tf"
if_exists = "overwrite"
contents = <<-EOF
provider "aws" {
access_key = var.access_key
secret_key = var.secret_key
region = var.region
} variable "access_key" {}
variable "secret_key" {}
variable "region" {}
EOF
}
The inputs block defines the input value for the access key, secret key, and region. The generate block creates a provider.tffile automatically under each directory, which initializes the AWS provider, defines the variables of access key, secret key, and region…
