AWS Cloud Operations Blog

Enable cross-account queries on AWS CloudTrail lake using delegated administration from AWS Organizations

We are excited to announce a new CloudTrail feature, which lets the management account of an organization configure up to 3 delegated administrators to manage the organization’s trails and Lake event data stores. A delegated administrator has permission to manage resources on behalf of the organization. Delegated administrator support enables flexibility for customers by allowing the management account to delegate CloudTrail administrative actions to an organization member account, such as a security or logging account.

With this feature, the management account of an organization remains the owner of all CloudTrail organization resources, even when those organization trails or CloudTrail Lake event data store resources are created and managed through the delegated administrator account. This helps customers with maintaining continuity of organization-wide CloudTrail audit logs while avoiding any disruption when changes are made to their organization in AWS Organizations. This feature will allow the accounts in the organization to accept the role of delegated administrator to create and manage CloudTrail Lake event data stores at organization level and then be able to share the event data store with other accounts within their AWS Organization. This allows teams to collaborate on the organization wide activity logs in CloudTrail Lake without needing to share access to a management account.

In this post, I’ll walk you through the steps to create a delegated administrator and use the delegated administrator account to provide permissions to other member accounts in the organization to query CloudTrail lake. By delegating this to other member accounts, it help minimize users using management account for CloudTrail Lake related tasks and hence improving security and compliance posture. If you’re using CloudTrail Lake for the first time, then check this post.

We will follow the proceesing steps for this demonstration.

  1. Register delegated administrator account
  2. Create an organization level event data store in delegated admin account
  3. Create IAM Policy and role for cross account access to member account
  4. Query event data store which was created by the delegated admin account from a member account

STEP 1:  Register delegated administrator account in CloudTrail console

  1. Sign into the CloudTrail in the AWS Management console using the management account of your organization and choose settings.
Figure 1: Click “settings” on the CloudTrail page

Figure 1: Click “settings” on the CloudTrail page

  1. Under Settings choose Register administrator
Figure 2: Choose Register Administrator option

Figure 2: Choose Register Administrator option

  1. A pop-up window will open for registering a delegated administrator.
  2. Enter the delegated administrator account ID in the box provided and then choose Register administrator to register the account as the delegated admin for CloudTrail.
Figure 3: Enter the member account ID which will be the delegated admin for CloudTrail

Figure 3: Enter the member account ID which will be the delegated admin for CloudTrail

  1. If successful, you will see the account ID, the account name, and the account email listed in the Organization delegated administrators table.
Figure 4: Delegated administrator account is registered

Figure 4: Delegated administrator account is registered

STEP 2: Create event data store in delegated administrator account

  1. Login to delegated admin account and navigate to CloudTrail console page
Figure 5: Log into the delegated administrator account

Figure 5: Log into the delegated administrator account

  1. On the CloudTrail Lake page, open the event data stores tab. Choose Create event data store
Figure 6: Create event data store

Figure 6: Create event data store

  1. On the Configure event data store page, provide a name for your event data store and configure the options.
Figure 7: Configure event data store

Figure 7: Configure event data store

  1. You can view the new event data store for your account in the event data stores section
Figure 8: organization event data stores for delegated administrator account

Figure 8: organization event data stores for delegated administrator account

  1. Choose the event data store to view its details, and copy the ARN. You’ll use the ARN in the IAM policy you create in the next step.
Figure 9: Copy event data store ARN

Figure 9: Copy event data store ARN

STEP 3: Create a new CloudTrail policy and role to allow cross-account access

  1. To allow cross-account permissions, create an IAM policy and role by using the IAM console. Create a policy using the least privileges necessary, an example is shown below. Under Resources, add the event data store ARN that you just copied.
Figure 10: IAM policy with least privileges (add event data store ARN under Resources)

Figure 10: IAM policy with least privileges (add event data store ARN under Resources)

  1. Create an IAM role and select the AWS account option to allow cross-account access. Specify the member account that you want to share access with on the event data store created in delegated admin account.
Figure 11: Create IAM role for cross-account access.

Figure 11: Create IAM role for cross-account access.

  1. Attach the IAM policy you created in the previous step and attach the privileges allowed in the IAM policy to the member account. Share the role link with member account.
Figure 12: Attach IAM Policy to the IAM role created for the member account.

Figure 12: Attach IAM Policy to the IAM role created for the member account.

STEP 4: Connect to member account to query event data store

  1. Login to the member account with the shared IAM role console login link. Now this member account can query the event data store without needing to go through the management account.

Figure: 13: Switch to IAM role which was created earlier

  1. The role has been switched as seen in below screenshot
Figure 14: The member account has assumed IAM role which was attached to it

Figure 14: The member account has assumed IAM role which was attached to it

  1. Now navigate to the CloudTrail Lake and you will be able to see the event data store created by using a delegated admin account. This allows the member account to query the event data store without the need to login to the management account.
Figure 15: Access CloudTrail Lake event data store

Figure 15: Access CloudTrail Lake event data store

  1. Looking at the details of this event data store, you will see that the ARN refers to the delegated admin account and delete option is greyed out under action drop down.  This shows that member accounts can only perform tasks limited to the permissions granted to their account
Figure 16: Access event data store from member account

Figure 16: Access event data store from member account

  1. Run queries on event data store from the member account. User action on event data store can be controlled by the IAM policy attached to the role.
Figure 17: Run queries on event data store

Figure 17: Run queries on event data store

Summary

In this blog, we demonstrated how a delegated administrator can be used to grant member accounts varying permission levels and to query organization level CloudTrail event data stores. This feature will allow multiple teams to collaborate on same event data store without duplicating data. This feature will also enhance security and compliance posture by minimizing access to management account for CloudTrail Lake related activities. Delegated administrator support is now available in all regions where AWS CloudTrail is available, except for regions in China. There are no additional charges for enabling this feature. To learn more about delegated administrators in CloudTrail Lake and trails, see our documentation.

About the authors:

John Semali

John Semali is a Technical Account manager based in Atlanta, Georgia. He is fascinated with the new technology, eager to learn and experiment new things. He loves to work with startup businesses looking to leverage technology to advance their businesses. He likes to travel the world to see and learn ancient history.

Yagya Vir Singh

Yagya Vir Singh is a Senior Technical Account Manager based in Nashville, Tennessee. He is passionate about AWS technologies and loves to help customers achieve their goals. Outside of the office, he loves to be with his friends and family and spend time outdoors.