AWS Parameters for Organization-Level CloudTrail
This topic covers the parameters in the CloudFormation template to provision a stack for an organization-level trail. This template creates and configures CloudTrail event-driven pipeline used by Tenable Cloud Security to detect configuration changes in your AWS organization.
Parameters for Creating an Organization-Level Stack
The organization-level stack template consists of a consolidated CloudTrail trail, an Amazon S3 bucket where CloudTrail logs are consolidated into a CloudWatch LogGroup, and an Event bus that publishes events to SNS. A subscription is also created so that Tenable Cloud Security can listen to the events published in SNS.
Name of the stack.
Stack name can include letters (A-Z and a-z), numbers (0-9), and dashes (-).
|CreateTrail||Indicates whether to create the CloudTrail.||true|
Name of the CloudTrail.
Note: This CloudTrail is not created if you set the CreateTrail parameter to false.
|Enable log file validation||Indicates whether CloudTrail validates the integrity of log files.||true|
Name of the S3 bucket where CloudTrail stores the logs.
Note: To avoid namespace conflicts, the AWS account ID is suffixed to the S3 bucket name. If an S3 bucket with the same name exists within your account, delete it before creating this CloudFormation stack.
|CloudWatch Logs Configuration|
|Access token for Tenable Cloud Security||
Access token for the Tenable Cloud Security SNS subscription.
For more information, see Generate API Tokens.
|EventRuleName||Name of event rule.||TenableTrailMasterEventRule|
Name of the CloudWatch log group.
Note: The log group is not created if the CreateTrail parameter is set to false.
|RetentionPeriod||Retention period of the CloudWatch log group, in days.||5|
|SNSTopicName||SNS topic that acts as the target for event rules triggered by CloudTrail events.||TenableSNSTopic|
Parameters for Creating an Organization-Level StackSet
The Tenable Cloud Security StackSet template creates a CloudWatch events rule to send AWS events from member accounts into an event bus contained within the consolidated CloudTrail account. The following table lists the parameters in the Create StackSet wizard. The following table lists the parameters for creating the StackSet and the recommended values.
|Choose a template|
The Service-managed permissions option is selected by default. The StackSet automatically configures the permissions required to deploy to target accounts managed by the AWS organization.
|Prerequisite - Prepare template||The Template is ready option is selected by default.|
|Template source||The Amazon S3 URL option is selected by default.|
|Amazon S3 URL||Copy the S3 URL from Tenable Cloud Security Console and paste it here.|
|Specify StackSet details|
Type a name for the StackSet.
StackSet name can include letters (A-Z and a-z), numbers (0-9), and dashes (-).
|StackSet description||Type the description of the StackSet.|
|LogsManagementAccountId||Type the account ID of the CloudTrail event bus (management account).|
|Configure StackSet options|
|Tags||Tags or key-value pairs for resources in your stack.|
|Execution configuration||Click the Active option so that the StackSet performs non-conflicting operations concurrently and queues conflicting operations.|
|Set deployment options|
Enable Automatic deployment.
|Regions||Select all the regions that you want to deploy.|
|Maximum concurrent accounts - optional||Select Percentage from the drop-down box and set the value to 100.|
|Failure tolerance - optional||Select Percentage from the drop-down box and set the value to 50.|
For more information about these deployment parameters, see Stack set operation options in AWS CloudFormation documentation.