How do I visualize AWS CloudTrail with Grafana?
In this guide, we will set up AWS CloudTrail to log API activity and visualize these logs using Grafana. We will create a CloudTrail, an S3 bucket to store the logs, and a Grafana workspace to visualize the logs.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as grafana from "@lbrlabs/pulumi-grafana";
// Create an S3 bucket to store CloudTrail logs
const trailBucket = new aws.s3.Bucket("trailBucket", {
acl: "private",
});
// Create a CloudTrail
const trail = new aws.cloudtrail.Trail("cloudTrail", {
s3BucketName: trailBucket.bucket,
isMultiRegionTrail: true,
includeGlobalServiceEvents: true,
enableLogFileValidation: true,
eventSelectors: [{
readWriteType: "All",
includeManagementEvents: true,
dataResources: [{
type: "AWS::S3::Object",
values: [`arn:aws:s3:::${trailBucket.bucket}/`],
}],
}],
});
// Create an IAM role for Grafana
const grafanaRole = new aws.iam.Role("grafanaRole", {
assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "grafana.amazonaws.com" }),
});
// Attach the necessary policies to the IAM role
new aws.iam.RolePolicyAttachment("grafanaRolePolicy", {
role: grafanaRole,
policyArn: "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess",
});
// Create a Grafana workspace
const grafanaWorkspace = new aws.grafana.Workspace("grafanaWorkspace", {
accountAccessType: "CURRENT_ACCOUNT",
authenticationProviders: ["AWS_SSO"],
permissionType: "SERVICE_MANAGED",
roleArn: grafanaRole.arn,
});
// Outputs
export const trailBucketName = trailBucket.bucket;
export const trailName = trail.name;
export const grafanaWorkspaceUrl = grafanaWorkspace.endpoint;
Key Points
- S3 Bucket: Used to store CloudTrail logs.
- CloudTrail: Tracks API activity and logs it to the S3 bucket.
- IAM Role: Allows Grafana to access CloudWatch logs.
- Grafana Workspace: Visualizes the CloudTrail logs.
Summary
We created an S3 bucket, set up a CloudTrail to log API activity, created an IAM role with the necessary permissions, and set up a Grafana workspace to visualize the logs. This setup helps in monitoring and analyzing AWS account activity using Grafana.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.