Organization-Wide CloudTrail Trail

📦 Overview

This Terraform module provisions an organization-wide AWS CloudTrail trail, providing centralized API activity logging across all accounts in an AWS Organization.
It supports multi-region logging, log file validation, and optional KMS encryption for enhanced security and compliance.

✅ Key Features

Records management events across all AWS Organization accounts
Stores logs in a designated S3 bucket
Supports multi-region logging and file validation
Optionally encrypts logs with a customer-managed KMS key
Applies environment tagging for visibility and tracking

💼 Use Cases

Meeting compliance and audit requirements at an organizational level
Centralized security visibility for AWS Organizations
Foundational observability in multi-account cloud infrastructures

📥 Input Variables

Name	Type	Description
region	string	AWS region for trail creation
trail_name	string	Name of the CloudTrail trail
s3_bucket_name	string	Name of the S3 bucket that will store logs
enable_kms	bool	Whether to enable KMS encryption
kms_key_id	string	(Optional) KMS key ARN used for log encryption
environment	string	Environment tag for labeling resources (e.g., prod, dev)

📤 Outputs

Name	Description
cloudtrail_trail_arn	ARN of the created organizational trail
cloudtrail_trail_name	Name of the created CloudTrail trail

🚀 Deployment Readiness

✅ Compatible with Terraform 1.0+
✅ Requires AWS Provider 5.x or later
☁️ Must be deployed from the management account of your AWS Organization
🔐 KMS key is optional but recommended for production use

🛠️ Example Usage

module "cloudtrail_org_multi" {
  source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//logging/cloudtrail-org-multi?ref=v1.0.0"

  region          = "us-east-1"
  trail_name      = "archiphire-org-trail"
  s3_bucket_name  = "archiphire-org-cloudtrail-logs"
  enable_kms      = true
  kms_key_id      = "arn:aws:kms:us-east-1:111122223333:key/abcd1234-abcd-1234-abcd-1234abcd5678"
  environment     = "prod"
}

terraform init
terraform plan
terraform apply

tofu init
tofu plan
tofu apply

🧹 Cleanup Options

Terraform Destroy:

terraform destroy

tofu destroy

Manual Deletion (Recommended for Production):

aws cloudtrail delete-trail --name archiphire-org-trail

🛡️ Notes

This is a Level 1 organizational logging module.

It establishes secure, multi-account logging but does not include alerting, metrics, or log analytics. For advanced use cases, pair with CloudWatch Logs, GuardDuty, or a centralized SIEM as part of a Level 2 observability pipeline.

🔒 Deployment Package Notice

This module is part of the Level 1 AWS License Tier. To access the full deployment package and source code, subscribe to Archiphire.

📦 Overview​

✅ Key Features​

💼 Use Cases​

📥 Input Variables​

📤 Outputs​

🚀 Deployment Readiness​

🛠️ Example Usage​

🧹 Cleanup Options​

🛡️ Notes​

🔒 Deployment Package Notice​