Feat/#54 Cloudtrail에 대한 Opensearch 모니터링 환경 구성

[3olly]

#️⃣ Related Issues

#54

📝 Work Summary

• Managemnet-account에서 cloudtrail이 Org 전체 로그를 수집합니다
• Cloudtrail 이 Operation-account 의 s3 버킷으로 로그를 전송해 저장합니다.
• s3 버킷에 새 객체가 업로드될 때마다 Eventbridge가 lambda로 트리거합니다.
• lambda는 두 가지가 있습니다.

1. s3버킷에서 opensearch로 로그를 전송하는 함수
2. opensearch의 모든 설정을 자동화하는 함수

• lambda가 보낸 모든 로그는 opensearch로 보내집니다.
• Opensearch 쪽에서는 미리 구성해놓은 룰셋으로, 보안 위험 로그 발생 시 slack 알림을 보냅니다.
• Opensearch에서는 대시보드로 전체 상황을 통합적으로 모니터링할 수 있으며, 새로운 룰 추가도 가능합니다.

[github-actions]

[Terraform Plan Summary]

항목	값
Status	success
Directory	management-team-account/monitoring
Executed At	2025-07-24 13:49:53 UTC

---

Plan Output

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Plan Error (if any)

(no errors)

[github-actions]

💰 Infracost report

Monthly estimate generated

_{This comment will be updated when code changes.}

[github-actions]

[Terraform Plan Summary]

항목	값
Status	success
Directory	management-team-account/monitoring
Executed At	2025-07-27 10:31:54 UTC

---

Plan Output

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Plan Error (if any)

(no errors)

[github-actions]

[Terraform Plan Summary]

항목	값
Status	success
Directory	management-team-account/monitoring
Executed At	2025-07-27 10:50:07 UTC

---

Plan Output

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Plan Error (if any)

(no errors)

[github-actions]

[Terraform Plan Summary]

항목	값
Status	success
Directory	operation-team-account/monitoring
Executed At	2025-07-27 10:50:09 UTC

---

Plan Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.lambda_alerting.aws_lambda_function.alerting_setup will be updated in-place
  ~ resource "aws_lambda_function" "alerting_setup" {
        id                             = "opensearch-alerting-setup"
        tags                           = {}
        # (23 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "SLACK_WEBHOOK_URL"   = (sensitive value)
                # (1 unchanged element hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.opensearch_domain.aws_opensearch_domain.this will be updated in-place
  ~ resource "aws_opensearch_domain" "this" {
      ~ access_policies    = (sensitive value)
        id                 = "arn:aws:es:ap-northeast-2:502676416967:domain/whs-domain"
        tags               = {}
        # (10 unchanged attributes hidden)

        # (10 unchanged blocks hidden)
    }

  # module.s3.aws_s3_bucket_policy.cloudtrail will be updated in-place
  ~ resource "aws_s3_bucket_policy" "cloudtrail" {
        id     = "whs-aws-logs"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                    # (2 unchanged elements hidden)
                    {
                        Action    = "s3:PutObject"
                        Condition = {
                            StringEquals = {
                                "s3:x-amz-acl" = "bucket-owner-full-control"
                            }
                        }
                        Effect    = "Allow"
                        Principal = {
                            Service = "cloudtrail.amazonaws.com"
                        }
                        Resource  = "arn:aws:s3:::whs-aws-logs/AWSLogs/*"
                        Sid       = "AllowCloudTrailWrite"
                    },
                  ~ {
                      ~ Principal = {
                          ~ AWS = "arn:aws:iam::243359234795:root" -> "arn:aws:iam::502676416967:root"
                        }
                      ~ Resource  = "arn:aws:s3:::whs-aws-logs/AWSLogs/243359234795/*" -> "arn:aws:s3:::whs-aws-logs/AWSLogs/502676416967/*"
                        # (4 unchanged attributes hidden)
                    },
                  ~ {
                      ~ Principal = {
                          ~ AWS = "arn:aws:iam::243359234795:root" -> "arn:aws:iam::502676416967:root"
                        }
                        # (4 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 3 to change, 0 to destroy.

Plan Error (if any)

(no errors)

[imyourhopeee]

모니터링팀의 management account 관련 코드 및 opensearch 자동 설정, S3에서 로그 전달하는 코드, 도메인 생성, 로그 작업 허용하는 코드들 확인했습니다!