Skip to main content

NTC Log Archive

Release Notes Implementation Blueprint 🔒   Source Code
Migrating to v2?

NTC Log Archive v2 introduces major improvements including AWS Provider v6 support and AWS European Sovereign Cloud compatibility.

📖 Read the Migration Guide for step-by-step instructions.

Description​

NTC Log Archive provides a centralized solution for storing and managing audit logs in your AWS environment. This building block automates the provisioning of an audit log account to securely store critical log data, including CloudTrail logs, GuardDuty findings, and VPC Flow Logs. By consolidating logs into a dedicated account, NTC Log Archive ensures compliance with best practices for data isolation and long-term retention.

Designed to support security and compliance frameworks, this module helps you maintain a comprehensive audit trail and enables robust monitoring and forensic analysis.

warning

If Object Lock is enabled on the Log Archive bucket in COMPLIANCE mode, S3 objects cannot be deleted before their retention period expires. The only exception is deleting the entire AWS account associated with the bucket.

Usage​

Latest Release2.0.0
Loading usage example from blueprint...

Requirements​

The following requirements are needed by this module:

  • terraform (>= 1.5.0)

  • aws (>= 6.0)

Providers​

The following providers are used by this module:

  • aws (>= 6.0)

Modules​

The following Modules are called:

log_archive_bucket_encryption​

Source: ./modules/log_archive_encryption

Version:

log_archive_bucket_policies​

Source: ./modules/log_archive_policies

Version:

log_archive_buckets​

Source: ./modules/bucket

Version:

Resources​

The following resources are used by this module:

Required Inputs​

No required inputs.

Optional Inputs​

The following input variables are optional (have default values):

kms_key_deletion_window_in_days​

Description: The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.

Type: number

Default: 7

kms_key_enable_key_rotation​

Description: Specifies whether key rotation is enabled. Defaults to true.

Type: bool

Default: true

log_archive_buckets​

Description: List of S3 log archive buckets.

Type:

list(object({
    region                            = optional(string, null)
    bucket_name                       = string
    archive_type                      = string
    minimum_tls_version               = optional(string, "1.2")
    config_iam_path                   = optional(string, "/")
    config_iam_role_name              = optional(string, "ntc-config-role")
    enable_versioning                 = optional(bool, true)
    bucket_force_destroy              = optional(bool, false)
    block_public_acls                 = optional(bool, true)
    block_public_policy               = optional(bool, true)
    ignore_public_acls                = optional(bool, true)
    restrict_public_buckets           = optional(bool, true)
    object_lock_enabled               = optional(bool, false)
    enable_bucket_ownership_controls  = optional(bool, false)
    expected_bucket_owner             = optional(string, null)
    enable_access_logging             = optional(bool, false)
    access_logging_target_bucket_name = optional(string, "")
    access_logging_target_prefix      = optional(string, "logs/")
    object_ownership                  = optional(string, "BucketOwnerEnforced")
    object_lock_configuration = optional(
      object({
        token          = optional(string, null)
        retention_mode = optional(string, "COMPLIANCE")
        retention_days = optional(number, 365)
      }), {}
    )
    lifecycle_configuration_rules = optional(
      list(object({
        enabled                                = optional(bool, true)
        id                                     = string
        abort_incomplete_multipart_upload_days = optional(number, null)
        filter = optional(
          object({
            object_size_greater_than = optional(number, null)
            object_size_less_than    = optional(number, null)
            prefix                   = optional(string, null)
            tag = optional(
              object({
                key   = string
                value = string
              }), null
            )
          }), {}
        )
        filter_and = optional(
          object({
            object_size_greater_than = optional(number, null)
            object_size_less_than    = optional(number, null)
            prefix                   = optional(string, null)
            tags                     = optional(map(string), null)
          }), {}
        )
        expiration = optional(
          object({
            date                         = optional(string, null)
            days                         = optional(number, null)
            expired_object_delete_marker = optional(bool, null)
          }), {}
        )
        transition = optional(
          object({
            date          = optional(string, null)
            days          = optional(number, null)
            storage_class = optional(string, null)
          }), {}
        )
        noncurrent_version_expiration = optional(
          object({
            newer_noncurrent_versions = optional(number, null)
            noncurrent_days           = optional(number, null)
          }), {}
        )
        noncurrent_version_transition = optional(
          object({
            newer_noncurrent_versions = optional(number, null)
            noncurrent_days           = optional(number, null)
            storage_class             = optional(string, null)
          }), {}
        )
      })), []
    )
  }))

Default: []

Outputs​

The following outputs are exported:

log_archive_bucket_arns​

Description: ARNs of log archive buckets.

log_archive_bucket_ids​

Description: Identifiers of log archive buckets.

log_archive_kms_key_arns​

Description: ARNs of kms keys used to encrypt log archive buckets.