# CloudTrail
AWS Systems Manager Automation provides predefined runbooks for AWS CloudTrail. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json).
**Topics**
+ [`AWSConfigRemediation-CreateCloudTrailMultiRegionTrail`](automation-aws-create-ct-mr.md)
+ [`AWS-EnableCloudTrail`](automation-aws-enablecloudtrail.md)
+ [`AWS-EnableCloudTrailCloudWatchLogs`](enable-cloudtrail-cloudwatch-logs.md)
+ [`AWSConfigRemediation-EnableCloudTrailEncryptionWithKMS`](automation-aws-ctrail-kms.md)
+ [`AWS-EnableCloudTrailKmsEncryption`](enable-cloudtrail-kms-encryption.md)
+ [`AWSConfigRemediation-EnableCloudTrailLogFileValidation`](automation-aws-enable-ctrail-log-validation.md)
+ [`AWS-EnableCloudTrailLogFileValidation`](enable-cloudtrail-log-validation.md)
+ [`AWS-QueryCloudTrailLogs`](aws-querycloudtraillogs.md)
# `AWSConfigRemediation-CreateCloudTrailMultiRegionTrail`
**Description**
The `AWSConfigRemediation-CreateCloudTrailMultiRegionTrail` runbook creates an AWS CloudTrail (CloudTrail) trail that delivers log files from multiple AWS Regions to the Amazon Simple Storage Service (Amazon S3) bucket of your choice.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-CreateCloudTrailMultiRegionTrail)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ BucketName
Type: String
Description: (Required) The name of the Amazon S3 bucket you want to upload logs to.
+ KeyPrefix
Type: String
Description: (Optional) The Amazon S3 key prefix that comes after the name of the bucket you designated for log file delivery.
+ TrailName
Type: String
Description: (Required) The name of the CloudTrail trail to be created.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `cloudtrail:CreateTrail`
+ `cloudtrail:StartLogging`
+ `cloudtrail:GetTrail`
+ `s3:PutObject`
+ `s3:GetBucketAcl`
+ `s3:PutBucketLogging`
+ `s3:ListBucket`
**Document Steps**
+ `aws:executeAwsApi` - Accepts the trail name and the Amazon S3 bucket name as input and creates a CloudTrail trail.
+ `aws:executeAwsApi` - Enables logging on the created trail and starts log delivery to the Amazon S3 bucket you specified.
+ `aws:assertAwsResourceProperty` - Verifies that the CloudTrail trail has been created.
# `AWS-EnableCloudTrail`
**Description**
Create an AWS CloudTrail trail and configure logging to an S3 bucket.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-EnableCloudTrail)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ S3BucketName
Type: String
Description: (Required) Name of the S3 bucket designated for publishing log files.
**Note**
The S3 bucket must exist and the bucket policy must grant CloudTrail permission to write to it. For information, see [Amazon S3 Bucket Policy for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html) .
+ TrailName
Type: String
Description: (Required) The name of the new trail.
# `AWS-EnableCloudTrailCloudWatchLogs`
**Description**
This runbook updates the configuration of one or more AWS CloudTrail trails to send events to an Amazon CloudWatch Logs log group.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-EnableCloudTrailCloudWatchLogs)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ CloudWatchLogsLogGroupArn
Type: String
Description: (Required) The ARN of the CloudWatch Logs log group where the CloudTrail logs will be delivered.
+ CloudWatchLogsRoleArn
Type: String
Description: (Required) The ARN of the IAM role CloudWatch Logs Logs assumes to write to the specified log group.
+ TrailNames
Type: StringList
Description: (Required) A comma separated list of the names of the CloudTrail trails whose events you want to send to CloudWatch Logs.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `cloudtrail:UpdateTrail`
+ `iam:PassRole`
**Document Steps**
+ `aws:executeScript` - Updates the specified CloudTrail trails to deliver events to the specified CloudWatch Logs log group.
# `AWSConfigRemediation-EnableCloudTrailEncryptionWithKMS`
**Description**
The `AWSConfigRemediation-EnableCloudTrailEncryptionWithKMS` runbook encrypts an AWS CloudTrail (CloudTrail) trail using the AWS Key Management Service (AWS KMS) customer managed key you specify. This runbook should only be used as a baseline to ensure that your CloudTrail trails are encrypted according to minimum recommended security best practices. We recommend encrypting multiple trails with different KMS keys. CloudTrail digest files are not encrypted. If you have previously set the `EnableLogFileValidation` parameter to `true` for the trail, see the "Use server-side encryption with AWS KMS managed keys" section of the [CloudTrail Preventative Security Best Practices](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html#best-practices-security-preventative) topic in the *AWS CloudTrail User Guide* for more information.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableCloudTrailEncryptionWithKMS)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ KMSKeyId
Type: String
Description: (Required) The ARN, key ID, or the key alias of the of the customer managed key you want to use to encrypt the trail you specify in the `TrailName` parameter.
+ TrailName
Type: String
Description: (Required) The ARN or name of the trail you want to update to be encrypted.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `cloudtrail:GetTrail`
+ `cloudtrail:UpdateTrail`
**Document Steps**
+ `aws:executeAwsApi` - Enables encryption on the trail you specify in the `TrailName` parameter.
+ `aws:executeAwsApi` - Gathers the ARN for the customer managed key you specify in the `KMSKeyId` parameter.
+ `aws:assertAwsResourceProperty` - Verifies that encryption has been enabled on the CloudTrail trail.
# `AWS-EnableCloudTrailKmsEncryption`
**Description**
This runbook updates the configuration of one or more AWS CloudTrail trails to use AWS Key Management Service (AWS KMS) encryption.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-EnableCloudTrailKmsEncryption)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ KMSKeyId
Type: String
Description: (Required) The key ID of the of the customer managed key you want to use to encrypt the trail you specify in the `TrailName` parameter. The value can be an alias name prefixed by "alias/", a fully specified ARN to an alias, or a fully specified ARN to a key.
+ TrailNames
Type: StringList
Description: (Required) A comma separated list of the trails you want to update to be encrypted.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `cloudtrail:UpdateTrail`
+ `kms:DescribeKey`
+ `kms:ListKeys`
**Document Steps**
+ `aws:executeScript` - Enables AWS KMS encryption on the trails you specify in the `TrailName` parameter.
# `AWSConfigRemediation-EnableCloudTrailLogFileValidation`
**Description**
The `AWSConfigRemediation-EnableCloudTrailLogFileValidation` runbook enables log file validation for your AWS CloudTrail trail.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableCloudTrailLogFileValidation)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ TrailName
Type: String
Description: (Required) The name or Amazon Resource Name (ARN) of the trail you want to enable log validation for.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `cloudtrail:GetTrail`
+ `cloudtrail:UpdateTrail`
**Document Steps**
+ `aws:executeAwsApi` - Enables log validation for the AWS CloudTrail trail you specify in the `TrailName` parameter.
+ `aws:assertAwsResourceProperty` - Verifies log validation is enabled for your trail.
# `AWS-EnableCloudTrailLogFileValidation`
**Description**
The `AWS-EnableCloudTrailLogFileValidation` runbook enables log file validation for the AWS CloudTrail trails you specify.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-EnableCloudTrailLogFileValidation)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ TrailNames
Type: StringList
Description: (Required) A comma separated list of the names of the CloudTrail trails you want to enable log validation for.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `cloudtrail:GetTrail`
+ `cloudtrail:UpdateTrail`
**Document Steps**
+ `aws:executeScript` - Enables log validation for the AWS CloudTrail trails you specify in the `TrailNames` parameter.
# `AWS-QueryCloudTrailLogs`
**Description**
The `AWS-QueryCloudTrailLogs` runbook creates an Amazon Athena table from the Amazon Simple Storage Service (Amazon S3) bucket of your choice containing AWS CloudTrail (CloudTrail) logs. After creating the table, the automation runs SQL queries you specify and then deletes the table.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-QueryCloudTrailLogs)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Databases
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ Query
Type: String
Description: (Required) The SQL query you want to run.
+ SourceBucketPath
Type: String
Description: (Required) The name of the Amazon S3 bucket containing the CloudTrail log files you want to query.
+ TableName
Type: String
Description: (Optional) The name of the Athena table created by the automation.
Default: cloudtrail\$1logs
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `athena:GetQueryResults`
+ `athena:GetQueryExecution`
+ `athena:StartQueryExecution`
+ `glue:CreateTable`
+ `glue:DeleteTable`
+ `glue:GetDatabase`
+ `glue:GetPartitions`
+ `glue:GetTable`
+ `s3:AbortMultipartUpload`
+ `s3:CreateBucket`
+ `s3:GetBucketLocation`
+ `s3:GetObject`
+ `s3:ListBucket`
+ `s3:ListBucketMultipartUploads`
+ `s3:ListMultipartUploadParts`
+ `s3:PutObject`
**Document Steps**
+ `aws:executeAwsApi` - Creates an Athena table.
+ `aws:executeAwsApi` - Runs the query string you specify in the `Query` parameter.
+ `aws:executeScript` - Polls and waits for the query to complete.
+ `aws:executeAwsApi` - Gets the results of the query.
+ `aws:executeAwsApi` - Deletes the table created by the automation.