AWS Parameters for Organization-Level CloudTrail

This topic covers the parameters in the CloudFormation template to provision a stack for an organization-level trail. This template creates and configures CloudTrail event-driven pipeline used by Tenable Cloud Security to detect configuration changes in your AWS organization.

Parameters for Creating an Organization-Level Stack

The organization-level stack template consists of a consolidated CloudTrail trail, an Amazon S3 bucket where CloudTrail logs are consolidated into a CloudWatch LogGroup, and an Event bus that publishes events to SNS. A subscription is also created so that Tenable Cloud Security can listen to the events published in SNS.

Parameter Description Default Value
Stack name

Name of the stack.

Stack name can include letters (A-Z and a-z), numbers (0-9), and dashes (-).

  Trail Configuration
CreateTrail Indicates whether to create the CloudTrail. true

Name of the CloudTrail.

Note: This CloudTrail is not created if you set the CreateTrail parameter to false.
Enable log file validation Indicates whether CloudTrail validates the integrity of log files. true

Name of the S3 bucket where CloudTrail stores the logs.

Note: To avoid namespace conflicts, the AWS account ID is suffixed to the S3 bucket name. If an S3 bucket with the same name exists within your account, delete it before creating this CloudFormation stack.

  CloudWatch Logs Configuration
Access token for Tenable Cloud Security

Access token for the Tenable Cloud Security SNS subscription.

For more information, see Generate API Tokens.

  Other Parameters
EventRuleName Name of event rule. TenableTrailMasterEventRule

Name of the CloudWatch log group.

Note: The log group is not created if the CreateTrail parameter is set to false.
RetentionPeriod Retention period of the CloudWatch log group, in days. 5
SNSTopicName SNS topic that acts as the target for event rules triggered by CloudTrail events. TenableSNSTopic

Parameters for Creating an Organization-Level StackSet

The Tenable Cloud Security StackSet template creates a CloudWatch events rule to send AWS events from member accounts into an event bus contained within the consolidated CloudTrail account. The following table lists the parameters in the Create StackSet wizard. The following table lists the parameters for creating the StackSet and the recommended values.

Parameter Action
  Choose a template

The Service-managed permissions option is selected by default. The StackSet automatically configures the permissions required to deploy to target accounts managed by the AWS organization.

Prerequisite - Prepare template The Template is ready option is selected by default.
Template source The Amazon S3 URL option is selected by default.
Amazon S3 URL Copy the S3 URL from Tenable Cloud Security Console and paste it here.
  Specify StackSet details
StackSet name

Type a name for the StackSet.

StackSet name can include letters (A-Z and a-z), numbers (0-9), and dashes (-).

StackSet description Type the description of the StackSet.
LogsManagementAccountId Type the account ID of the CloudTrail event bus (management account).
  Configure StackSet options
Tags Tags or key-value pairs for resources in your stack.
Execution configuration Click the Active option so that the StackSet performs non-conflicting operations concurrently and queues conflicting operations.
Set deployment options
Deployment configuration

Enable Automatic deployment.

Regions Select all the regions that you want to deploy.
Maximum concurrent accounts - optional Select Percentage from the drop-down box and set the value to 100.
Failure tolerance - optional Select Percentage from the drop-down box and set the value to 50.
Regional Concurrency

Click Parallel.

For more information about these deployment parameters, see Stack set operation options in AWS CloudFormation documentation.