We’re getting ready to deploy our first production workload in AWS, and our AWS account team recommended we enable a bunch of auditing on our accounts in each region. That is a lot of clicking for 9 regions across three accounts.
This script will configure AWS CloudTrail and AWS Config Service in all regions, configure the logging bucket, and establish a reasonable password policy. Amazon is about to release 3 (or four) more regions in Ohio, England, Korea and India. As these regions spin up you’ll need to enable auditing trails there, even if you never plan to use the region.
The script can also be used with –status to make sure all your logging is enabled.
./new_account_config.sh --status mydomain 49nnnnnnnnn Using mydomain as my bucket suffix and 49nnnnnnnnn as my AWS Account Number Cloud Trail Status Region Trail Name Bucket GlobalEvents? Logging On? eu-west-1 Default logs-mydomain False True ap-southeast-1 Default logs-mydomain False True ap-southeast-2 Default logs-mydomain False True eu-central-1 Default logs-mydomain False True ap-northeast-1 Default logs-mydomain False True us-east-1 logs-mydomain arn:aws:cloudtrail:us-east-1:496486987401:trail/Default True sa-east-1 Default logs-mydomain False True us-west-1 Default logs-mydomain False True us-west-2 Default logs-mydomain False True AWS Config Service Status Region Recorder Name Bucket Last Status? Recording? eu-west-1 Default-eu-west-1 logs-mydomain SUCCESS True ap-southeast-1 Default-ap-southeast-1 logs-mydomain SUCCESS True ap-southeast-2 Default-ap-southeast-2 logs-mydomain SUCCESS True eu-central-1 Default-eu-central-1 logs-mydomain SUCCESS True ap-northeast-1 Default-ap-northeast-1 logs-mydomain SUCCESS True us-east-1 Default-us-east-1 logs-mydomain SUCCESS True sa-east-1 Default-sa-east-1 logs-mydomain SUCCESS True us-west-1 Default-us-west-1 logs-mydomain SUCCESS True us-west-2 Default-us-west-2 logs-mydomain SUCCESS True ------------------------------------------- | GetAccountPasswordPolicy | +-----------------------------------------+ || PasswordPolicy || |+------------------------------+--------+| || AllowUsersToChangePassword | True || || ExpirePasswords | True || || HardExpiry | False || || MaxPasswordAge | 180 || || MinimumPasswordLength | 8 || || RequireLowercaseCharacters | True || || RequireNumbers | True || || RequireSymbols | True || || RequireUppercaseCharacters | True || |+------------------------------+--------+|
This is a work in progress and as I delve deeper into account best practices I will be adding to this.