Posture Control (DSPM)
Changing AWS CloudTrail Details
You can change the CloudTrail for an organization or a single account within the organization as required.
Prerequisites
You must be assigned either an Administrator role or any role with Edit Cloud Accounts permission.
Changing AWS CloudTrail for an Organization
The organization CloudTrail shares the CloudTrail events of the management and member accounts of the organization to the same CloudTrail S3 bucket. When you reset the organization AWS CloudTrail details, the existing CloudTrail is disabled and all the onboarded accounts move to the Needs Attention state until the new CloudTrail is validated successfully.
To change AWS CloudTrail for an organization:
- Go to Administration > Configuration > Cloud Accounts.
Select the organization account for which you want to change the CloudTrail details.
Click Manage, and then select Manage CloudTrail from the drop-down menu.
- In the Organization CloudTrail window:
Click Reset to edit the existing CloudTrail details and add new details.
- CloudTrail Type: If it is an organization CloudTrail, select the OrgCloudTrail checkbox.
- CloudTrail Bucket Name: Enter the S3 bucket name that is associated with the CloudTrail.
Prefix (Optional): Enter the prefix specified in the CloudTrail S3 bucket path, if any.
- Bucket Account ID: Enter the AWS account ID where the CloudTrail S3 bucket is present.
Click Apply.
A message appears indicating that the CloudTrail details is saved successfully.
- Under Download and Deploy Template, select one of the following template types:
- CloudFormation
To update the CloudTrail details using the CloudFormation template:
- i. Download the CloudFormation template.
In the Organization CloudTrail window, click Organization CloudTrail to download the template as a YAML file to your local system.
Close - ii. Update the stack.
- Sign in to the AWS Management Console using the root account credentials and go to CloudFormation.
- In the left-side navigation, select Stacks.
Identify the stack created while onboarding an organization and click the stack name.
Click Update.
On the Update stack page:
- Prepare template: Select Replace current template.
- Specify template: Select Upload a template file and click Choose file. Browse your folder and select the downloaded YAML file, then click Open.
- Click Next.
- On the Specify stack details page, click Next.
- On the Configure stack options page, click Next.
On the Review stack page, review the stack details and then select the I acknowledge checkbox to acknowledge AWS CloudFormation's creation of IAM resources with custom names.
Click Submit.
On the Events tab, you can view the status of the stack execution.
- i. Download the CloudFormation template.
- Terraform
To update the CloudTrail details using the Terraform template:
- i. Download the Terraform template.
In the Organization CloudTrail window, click Organization CloudTrail to download the template as a Terraform file to your local system.
Close - ii. Copy the access keys of the root account.
Copy the Access keys of the root account. The access keys provide DSPM with administrator access to the root account from the AWS CLI.
To copy the access keys:
- Sign in to the AWS access portal and select the root account.
Click Access keys.
- Select the required tab (macOS/Linux, Windows, PowerShell) based on your operating system.
- iii. Run the Terraform template.
- Open the Command Prompt or any other CLI app in your local system.
- Switch to the directory that contains the downloaded template .tf folder.
- Paste the access keys you copied earlier and press
Enter. - Run the following commands:
To initialize the Terraform working directory:
terraform initTo verify the changes in the Terraform configuration:
terraform planTo run the Terraform script:
terraform applyUnder Do you want to perform these actions?, enter
yesand pressEnter.
- i. Download the Terraform template.
- CloudFormation
- Click Done.
In the Overview tab, under CloudTrail, click Validate.
After the CloudTrail is validated successfully, the status of the CloudTrail shows Enabled.
If there is any issue found while validating the template, the status of the CloudTrail shows Failed. Download the template and run it again, and then validate the CloudTrail.
Changing AWS CloudTrail for a Single Account
When you update the account CloudTrail, the existing CloudTrail is disabled only for that account without affecting the other accounts in the organization. The account moves to the Needs Attention state until the new CloudTrail is validated successfully.
To change AWS CloudTrail for a single account:
- Go to Administration > Configuration > Cloud Accounts.
Select the AWS organization and then select the Accounts tab.
Click the Actions icon for the account you want to change the CloudTrail details, then select Update CloudTrail.
In the Update Account CloudTrail window:
Click Reset to edit the existing CloudTrail details and add new details.
- CloudTrail Bucket Name: Enter the S3 bucket name that is associated with CloudTrail.
- Prefix (Optional): Enter the prefix specified in the CloudTrail S3 bucket path, if any.
Bucket Account ID: Enter the AWS account ID where the CloudTrail S3 bucket is present.
Click Apply.
A message appears indicating that the CloudTrail details is saved successfully.
- Under Download and Deploy Template, select one of the following template types:
- CloudFormation
To update the CloudTrail details using the CloudFormation template:
- i. Download the CloudFormation template.
In the Update Account CloudTrail window, click CloudTrail to download the template as a YAML file to your local system.
Close - ii. Create a stack.
- Sign in to the AWS Management Console for the account you want to change the CloudTrail, and go to CloudFormation.
- In the left-side navigation, select Stacks.
Click Create stack.
- On the Create stack page:
- Prepare template: Select Choose an existing template.
- Specify template: Select Upload a template file to upload the template you downloaded from the DSPM Admin Portal.
- Upload a template file: Click Choose file, browse and select template, then click Open.
- Click Next.
On the Specify stack details page, under Stack name, enter a unique stack name.
- Click Next.
- On the Configure stack options page, click Next.
On the Review and create page, under Capabilities, select the I acknowledge checkbox to acknowledge AWS CloudFormation's creation of IAM resources with custom names.
- Click Submit.
- i. Download the CloudFormation template.
- Terraform
To update the CloudTrail details using the Terraform template:
- i. Download the Terraform template.
In the Update Account CloudTrail window, select Terraform and click CloudTrail to download the template as a Terraform file to your local system.
Close - ii. Copy the access keys of the account for which you want to change the CloudTrail details.
The access keys provide DSPM with administrator access to the account from the AWS CLI.
To copy the access keys:
- Sign in to the AWS access portal and select the account for which you want to change the CloudTrail details.
Click Access keys.
- Select the required tab (macOS/Linux, Windows, PowerShell) based on your operating system.
- iii. Run the Terraform template.
- Open the Command Prompt or any other CLI app in your local system.
- Switch to the directory that contains the downloaded template .tf folder.
- Paste the access keys you copied earlier and press
Enter. - Run the following commands:
To initialize the Terraform working directory:
terraform initTo verify the changes in the Terraform configuration:
terraform planTo run the Terraform script:
terraform applyUnder Do you want to perform these actions?, enter
yesand pressEnter.
- i. Download the Terraform template.
- CloudFormation
- Click Done.
DSPM validates the template deployment by checking the new CloudTrail details provided.
If there is any error while validating the template, download and rerun the template.
You can see the CloudTrail details of the account in the corresponding account drawer.
