Create Stack

Creating this CloudFormation stack will configure CloudTrail including a new trail, an S3 bucket, and a CloudWatch Logs group for CloudTrail logs. You can optionally configure AWS Config and Amazon GuardDuty by setting the CloudFormation parameter for each.

  1. Download the latest version of the CloudFormation template here: cloudtrail-config-guardduty.yaml

  2. Go to the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation and click Create Stack > With new resources Images/CFNCreateStackButton

  3. Leave Prepare template setting as-is

    • For Template source select Upload a template file
    • Click Choose file and supply the CloudFormation template you downloaded: cloudtrail-config-guardduty.yaml CFNUploadTemplateFile
  4. Click Next

  5. For Stack name use DetectiveControls

  6. Parameters

    • Look over the Parameters and their default values.

    • Under General section only enable the service if you have not configured already. CloudTrail is enabled by default, if you have enabled already this will create another trail and S3 bucket.

    • CloudTrailBucketName: The name of the new S3 bucket to create for CloudTrail to send logs to.

    • IMPORTANT: Bucket names need to be unique across all AWS buckets, and only contain lowercase letters, numbers, and hyphens.

    • ConfigBucketName: The name of the new S3 bucket to create for Config to save config snapshots to.

    • GuardDutyEmailAddress: The email address you own that will receive the alerts, you must have access to this address for testing.

    • Click Next

  7. For Configure stack options we recommend configuring tags, which are key-value pairs, that can help you identify your stacks and the resources they create. For example, enter Owner in the left column which is the key, and your email address in the right column which is the value. We will not use additional permissions or advanced options so click Next. For more information, see Setting AWS CloudFormation Stack Options.

  8. For Review

    • Review the contents of the page
    • At the bottom of the page, select I acknowledge that AWS CloudFormation might create IAM resources with custom names
    • Click Create stack CFNIamCapabilities
  9. This will take you to the CloudFormation stack status page, showing the stack creation in progress.

    • Click on the Events tab
    • Scroll through the listing. It shows (in reverse order) the activities performed by CloudFormation, such as starting to create a resource and then completing the resource creation.
    • Any errors encountered during the creation of the stack will be listed in this tab. StackCreationStarted
  10. When it shows status CREATE_COMPLETE, then you are finished with this step.

You have now set up detective controls to log to your buckets and retain events, giving you the ability to search history and later enable pro-active monitoring of your AWS account!

You should receive an email to confirm the SNS email subscription, you must confirm this. Note as the email is directly from GuardDuty via SNS is will be JSON format.