- Create a new CloudFormation template file; we're going to define the following Resources:
- An S3 bucket for our CloudTrail log files to be stored in
- A policy for our S3 bucket that allows the CloudTrail service to write to our bucket
- A CloudTrail trail
- Define an S3 bucket like so. We don't need to give it a name; we'll add the bucket name to the list of Outputs later:
ExampleTrailBucket: Type: AWS::S3::Bucket
- Next, we need to define a policy for our bucket. This section is a little wordy so you may prefer to get this from the code samples instead. This policy essentially allows CloudTrail to do two things to our bucket: s3:GetBucketAcl and s3:PutObject.
ExampleBucketPolicy: Type: AWS::S3::BucketPolicy Properties: ...