Quickly set up AWS CloudTrail with S3 and CloudWatch Logs integration using CloudShell. This script creates all required resources: S3 bucket with policy, IAM role and policy, CloudWatch Log Group, and CloudTrail - enabling comprehensive audit logging in minutes.
A Guide with AWS CloudShell
Creating a CloudTrail in a hurry can be challenging when using the AWS Management Console. But don't worry, there's a quicker way. In this guide, I'll show you how to quickly create a CloudTrail and send its log data to an Amazon S3 bucket and a CloudWatch Log Group using a script in the AWS CloudShell environment.
To level set, here are some services that we will touch:
- CloudShell
- CloudTrail
- S3
- CloudWatch
- Roles
- Policies
AWS CloudShell is a browser-based shell that comes pre-authenticated. You can run AWS CLI commands directly from the AWS Management Console using your preferred shell, such as Bash, PowerShell, or Z shell, without the need to download or install any tools.
AWS CloudTrail is a powerful service that enables operational auditing, governance, and compliance in your AWS account. It records all actions taken by users, roles, or AWS services in the form of events. These events can include actions taken in the AWS Management Console, AWS CLI, and AWS SDKs and APIs.
Amazon S3 is a scalable, secure, and highly-available object storage service. It's used by organizations of all sizes for a variety of use cases, including data lakes, websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. With S3, you have the ability to manage and control access to your data to meet your specific business, organizational, and compliance requirements.
Amazon CloudWatch is a real-time monitoring service for AWS resources and applications. It collects and tracks metrics to give you a complete view of your resources and applications. CloudWatch Logs consist of log groups and log streams. A log stream is a sequence of log events that share the same source, while a log group is a collection of log streams that share the same retention, monitoring, and access control settings. There is no limit on the number of log streams that can belong to a log group.
The S3 bucket policy in this example grants s3:* permissions to CloudTrail. For production environments, restrict this to only s3:PutObject and s3:GetBucketAcl for better security following the principle of least privilege.
The Build Order
The script chains a sequence of AWS CLI calls. Each step is a one-liner but the order matters - skip one and the next fails. The shape of it:
aws logs create-log-groupfor the destination CloudWatch log group.aws s3 mbfor the trail's S3 bucket.- Write a bucket policy granting
cloudtrail.amazonaws.comwrite access, thenaws s3api put-bucket-policy. For production use the documented least-privilege policy (PutObject + GetBucketAcl), nots3:*. - Write a trust policy for
cloudtrail.amazonaws.comwithsts:AssumeRole, thenaws iam create-role. - Write a permissions policy allowing
logs:CreateLogStream+logs:PutLogEvents, create it withaws iam create-policy, and attach it to the role. - Capture the role ARN and log-group ARN into shell variables, then
aws cloudtrail create-trailwith--cloud-watch-logs-role-arnand--cloud-watch-logs-log-group-arn. aws cloudtrail start-logging. Trails are created in a stopped state by default - this catches a lot of people.
Enable multi-region trails for comprehensive auditing across all AWS regions. Simply change --no-is-multi-region-trail to --is-multi-region-trail in the create-trail command.
Remember to replace the bucket name and resource names with unique values for your environment. S3 bucket names must be globally unique across all AWS accounts.
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| "Bucket already exists" error | S3 bucket name not globally unique | Choose a different bucket name. Include your account ID or a unique identifier to ensure uniqueness. |
| CloudTrail creation fails with "InsufficientS3BucketPolicyException" | S3 bucket policy not applied correctly | Verify the bucket policy includes the correct bucket ARN and allows CloudTrail service principal. Check for typos in the bucket name. |
| "Role cannot be assumed" error | Trust policy missing or incorrect | Ensure the IAM role trust policy allows cloudtrail.amazonaws.com as a trusted entity with sts:AssumeRole action. |
| Logs not appearing in CloudWatch | IAM policy missing CloudWatch permissions | Verify the role policy includes logs:CreateLogStream and logs:PutLogEvents permissions on the log group resource. |
| "Trail is not logging" status | Logging not started after trail creation | Run aws cloudtrail start-logging --name trail-name. Verify with aws cloudtrail get-trail-status --name trail-name. |
Want Help With This?
If you're working on something similar and want a second set of eyes, or you'd like to talk through how this applies to your environment, reach out via the contact form. Happy to help.