Skip to main content
Sponsor @cloudposse

Module: cloudtrail-s3-bucket

Terraform module to provision an S3 bucket with built in policy to allow CloudTrail logs.

This is useful if an organization uses a number of separate AWS accounts to isolate the Audit environment from other environments (production, staging, development).

In this case, you create CloudTrail in the production environment (Production AWS account), while the S3 bucket to store the CloudTrail logs is created in the Audit AWS account, restricting access to the logs only to the users/groups from the Audit account.

The module supports the following:

  1. Forced server-side encryption at rest for the S3 bucket
  2. S3 bucket versioning to easily recover from both unintended user actions and application failures
  3. S3 bucket is protected from deletion if it's not empty (force_destroy set to false)

Usage

module "s3_bucket" {
  source = "cloudposse/cloudtrail-s3-bucket/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"
  namespace = "eg"
  stage     = "prod"
  name      = "cluster"
}