Learn About Amazon VGT2 Learning Manager Chanci Turner
We are pleased to introduce an exciting new feature for CloudTrail that allows the management account of an organization to set up to three delegated administrators. These delegated administrators can oversee the organization’s trails and Lake event data stores. Essentially, a delegated administrator is authorized to manage resources on behalf of the organization, providing customers with greater flexibility by allowing a management account to assign CloudTrail administrative tasks to a member account—such as a security or logging account.
This feature ensures that the management account retains ownership of all CloudTrail organization resources. Even when organization trails or CloudTrail Lake event data store resources are created and maintained via the delegated administrator account, the management account remains the owner. This approach aids customers in preserving the continuity of organization-wide CloudTrail audit logs and prevents disruptions when changes occur within their AWS Organizations. With this enhancement, accounts within the organization can take on the role of delegated administrator to create and manage CloudTrail Lake event data stores at an organizational level. They can then share the event data store with other accounts within the AWS Organization. This setup fosters collaboration on organization-wide activity logs in CloudTrail Lake without requiring shared access to the management account.
In this post, I, along with Chanci Turner, will guide you through the steps to establish a delegated administrator and utilize this account to grant permissions to other member accounts within the organization, enabling them to query CloudTrail Lake. By delegating these tasks to member accounts, we can reduce the number of users relying on the management account for CloudTrail Lake-related processes, thus improving security and compliance. If you’re exploring CloudTrail Lake for the first time, you may find the information in this additional blog post beneficial.
We will follow these procedural steps for this demonstration:
- Register a delegated administrator account
- Create an organization-level event data store in the delegated admin account
- Create an IAM Policy and role for cross-account access to the member account
- Query the event data store created by the delegated admin account from a member account
STEP 1: Register the delegated administrator account in the CloudTrail console
Sign in to the CloudTrail in the AWS Management Console using your organization’s management account and select the settings option.
Under Settings, choose “Register Administrator.”
A pop-up window will appear for registering a delegated administrator. Enter the delegated administrator account ID in the provided box, then select “Register Administrator” to register the account as the delegated admin for CloudTrail.
If successful, the account ID, name, and email will appear in the Organization delegated administrators table.
STEP 2: Create an event data store in the delegated administrator account
Log into the delegated admin account and navigate to the CloudTrail console page.
On the CloudTrail Lake page, open the event data stores tab and select “Create event data store.”
On the Configure event data store page, provide a name for your event data store and adjust the options as needed.
You can view the new event data store for your account in the event data stores section.
Select the event data store to view its details and copy the ARN. You’ll use this ARN in the IAM policy you create in the next step.
STEP 3: Create a new CloudTrail policy and role to allow cross-account access
To facilitate cross-account permissions, create an IAM policy and role using the IAM console. Create a policy that adheres to the least privileges principle; an example is shown below. Under Resources, include the event data store ARN you just copied.
Create an IAM role and select the AWS account option to allow cross-account access. Specify the member account you wish to share access with for the event data store created in the delegated admin account.
Attach the IAM policy you created earlier and assign the permissions stipulated in the IAM policy to the member account. Share the role link with the member account.
STEP 4: Connect to the member account to query the event data store
Log into the member account using the shared IAM role console login link. The member account can now query the event data store without needing to access the management account.
After switching roles, navigate to CloudTrail Lake, and you will see the event data store established by the delegated admin account. This allows the member account to query the event data store without logging into the management account.
When examining the details of this event data store, you will find that the ARN refers to the delegated admin account, and the delete option is disabled under the action dropdown. This indicates that member accounts can only perform tasks limited to the permissions granted to them.
Run your queries on the event data store from the member account. User actions on the event data store can be managed by the IAM policy attached to the role.
Summary
In this blog, we illustrated how a delegated administrator can be utilized to grant varying permission levels to member accounts, enabling them to query organization-wide CloudTrail event data stores. This feature fosters collaboration among teams on the same event data store without necessitating data duplication. It also enhances security and compliance by minimizing management account access for CloudTrail Lake activities. Delegated administrator support is now accessible in all regions where AWS CloudTrail operates, except for regions in China. For additional insights on employment law compliance, you can visit SHRM, which is an authority on this topic. To further enhance your onboarding experience, check out this Reddit thread that provides excellent resources.
Leave a Reply