Enable cross-account queries on AWS CloudTrail lake using delegated administration from AWS Organizations
We are excited to announce a new CloudTrail feature, which lets the management account of an organization configure up to 3 delegated administrators to manage the organization’s trails and Lake event data stores. A delegated administrator has permission to manage resources on behalf of the organization. Delegated administrator support enables flexibility for customers by allowing the management account to delegate CloudTrail administrative actions to an organization member account, such as a security or logging account.
With this feature, the management account of an organization remains the owner of all CloudTrail organization resources, even when those organization trails or CloudTrail Lake event data store resources are created and managed through the delegated administrator account. This helps customers with maintaining continuity of organization-wide CloudTrail audit logs while avoiding any disruption when changes are made to their organization in AWS Organizations. This feature will allow the accounts in the organization to accept the role of delegated administrator to create and manage CloudTrail Lake event data stores at organization level and then be able to share the event data store with other accounts within their AWS Organization. This allows teams to collaborate on the organization wide activity logs in CloudTrail Lake without needing to share access to a management account.
In this post, I’ll walk you through the steps to create a delegated administrator and use the delegated administrator account to provide permissions to other member accounts in the organization to query CloudTrail lake. By delegating this to other member accounts, it help minimize users using management account for CloudTrail Lake related tasks and hence improving security and compliance posture. If you’re using CloudTrail Lake for the first time, then check this post.
We will follow the proceesing steps for this demonstration.
- Register delegated administrator account
- Create an organization level event data store in delegated admin account
- Create IAM Policy and role for cross account access to member account
- Query event data store which was created by the delegated admin account from a member account
STEP 1: Register delegated administrator account in CloudTrail console
- Sign into the CloudTrail in the AWS Management console using the management account of your organization and choose settings.
- Under Settings choose Register administrator
- A pop-up window will open for registering a delegated administrator.
- Enter the delegated administrator account ID in the box provided and then choose Register administrator to register the account as the delegated admin for CloudTrail.
- If successful, you will see the account ID, the account name, and the account email listed in the Organization delegated administrators table.
STEP 2: Create event data store in delegated administrator account
- Login to delegated admin account and navigate to CloudTrail console page
- On the CloudTrail Lake page, open the event data stores tab. Choose Create event data store
- On the Configure event data store page, provide a name for your event data store and configure the options.
- You can view the new event data store for your account in the event data stores section
- Choose the event data store to view its details, and copy the ARN. You’ll use the ARN in the IAM policy you create in the next step.
STEP 3: Create a new CloudTrail policy and role to allow cross-account access
- To allow cross-account permissions, create an IAM policy and role by using the IAM console. Create a policy using the least privileges necessary, an example is shown below. Under Resources, add the event data store ARN that you just copied.
- Create an IAM role and select the AWS account option to allow cross-account access. Specify the member account that you want to share access with on the event data store created in delegated admin account.
- Attach the IAM policy you created in the previous step and attach the privileges allowed in the IAM policy to the member account. Share the role link with member account.
STEP 4: Connect to member account to query event data store
- Login to the member account with the shared IAM role console login link. Now this member account can query the event data store without needing to go through the management account.
- The role has been switched as seen in below screenshot
- Now navigate to the CloudTrail Lake and you will be able to see the event data store created by using a delegated admin account. This allows the member account to query the event data store without the need to login to the management account.
- Looking at the details of this event data store, you will see that the ARN refers to the delegated admin account and delete option is greyed out under action drop down. This shows that member accounts can only perform tasks limited to the permissions granted to their account
- Run queries on event data store from the member account. User action on event data store can be controlled by the IAM policy attached to the role.
In this blog, we demonstrated how a delegated administrator can be used to grant member accounts varying permission levels and to query organization level CloudTrail event data stores. This feature will allow multiple teams to collaborate on same event data store without duplicating data. This feature will also enhance security and compliance posture by minimizing access to management account for CloudTrail Lake related activities. Delegated administrator support is now available in all regions where AWS CloudTrail is available, except for regions in China. There are no additional charges for enabling this feature. To learn more about delegated administrators in CloudTrail Lake and trails, see our documentation.
About the authors: