1229903 - Update nubis CloudTrail CloudFormation stacks

Status: RESOLVED DUPLICATE of bug 1232086

(Infrastructure & Operations :: SRE, task)

Description

[Gene Wood [:gene]]

We've enabled SNS notification and IAM Role assumption for reading logs in the secure CloudTrail storage system.

Please deploy our new CloudFormation stack which provisions CloudTrail in all regions. The new stack uses lambda instead of an ec2 instance to provision CloudTrail.

Thanks for signing up to use the AWS Secure CloudTrail Storage System. Now that EIS has enabled your AWS account to store logs in the secure storage account, here's how to configure your AWS account's CloudTrail to use it.
1. Browse to AWS CloudFormation in either us-west-2 Oregon, or us-east-1 N. Virginia (the 2 regions that support AWS Lambda) : https://console.aws.amazon.com/cloudformation/home?region=us-west-2
2. Click "Create Stack"
3. Under "Choose a template" select "Specify an Amazon S3 template URL"
4. Enter this URL : https://s3.amazonaws.com/infosec-cloudformation-templates/configure_cloudtrail_to_use_mozilla_secure_storage.json
5. In the "Stack name" field enter "DeployCloudTrailCloudFormationStacks" and click "Next"
6. On the "Options" screen click "Next"
7. On the "Review" screen in the "Capabilities" section, check the checkbox for "I acknowledge that this template might cause AWS CloudFormation to create IAM resources." and click "Create"

To learn how to fetch your CloudTrail logs from the secure storage account or to subscribe to notifications from CloudTrail, read about usage here :
https://mana.mozilla.org/wiki/display/SECURITY/AWS+Secure+CloudTrail+Storage+System#AWSSecureCloudTrailStorageSystem-Usage