Creating this CloudFormation stack will configure CloudTrail including a new trail, an S3 bucket, and a CloudWatch Logs group for CloudTrail logs. You can optionally configure AWS Config and Amazon GuardDuty by setting the CloudFormation parameter for each.
Download the latest version of the CloudFormation template here: cloudtrail-config-guardduty-securityhub.yaml
Go to the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation and click Create Stack > With new resources
Leave Prepare template setting as-is
For Stack name use DetectiveControls
Look over the Parameters and their default values.
Under General section only enable the service if you have not configured already. CloudTrail is enabled by default, if you have enabled already this will create another trail and S3 bucket.
CloudTrailBucketName: The name of the new S3 bucket to create for CloudTrail to send logs to.
IMPORTANT: Bucket names need to be unique across all AWS buckets, and only contain lowercase letters, numbers, and hyphens.
ConfigBucketName: The name of the new S3 bucket to create for Config to save config snapshots to.
GuardDutyEmailAddress: The email address you own that will receive the alerts, you must have access to this address for testing.
For Configure stack options we recommend configuring tags, which are key-value pairs, that can help you identify your stacks and the resources they create. For example, enter Owner in the left column which is the key, and your email address in the right column which is the value. We will not use additional permissions or advanced options so click Next. For more information, see Setting AWS CloudFormation Stack Options.
This will take you to the CloudFormation stack status page, showing the stack creation in progress.
When it shows status CREATE_COMPLETE, then you are finished with this step.
You have now set up detective controls to log to your buckets and retain events, giving you the ability to search history and later enable pro-active monitoring of your AWS account!
You should receive an email to confirm the SNS email subscription, you must confirm this. Note as the email is directly from GuardDuty via SNS it will be JSON format.