498: Refactor CloudTrail

[diego-ojeda-binbash]

What?

• Refactor CloudTrail to:
  • Work as a delegated administrator in the Security account
  • Work as a centralized, multi-region, organization trail in the Security account

Why?

• The CloudTrail implementation is simplified because it creates a single multi-region, organizational trail that only needs to maintained in a single account and on a single region
• Despite the above, another benefit is that the implementation can grow automatically as the number of accounts and regions increase or decrease
• Another consequence of the above is that the IaC footprint is narrowed to using a single layer for defining the implementation, which result in less layers to be maintained

References

• closes #498 => Security Audit layers should be updated to use the delegated admin approach #498

[github-actions]

💰 Infracost report

Monthly estimate generated

Changed project	Baseline cost	Usage cost*	Total change	New monthly cost
binbashar/le-tf-infra-aws/security/us-east-2/security-audit	+$0	-	+$0	$0

*Usage costs can be estimated by updating Infracost Cloud settings, see docs for other options.

Estimate details (includes details of unsupported resources and skipped projects due to errors)

Key: * usage cost, ~ changed, + added, - removed

──────────────────────────────────
Project: security-us-east-2-security-audit
Module path: security/us-east-2/security-audit

- aws_s3_bucket.cloudtrail_s3_bucket-dr[0]
  Monthly cost depends on usage

    - Standard
    
        - Storage
          Monthly cost depends on usage
            -$0.023 per GB
    
        - PUT, COPY, POST, LIST requests
          Monthly cost depends on usage
            -$0.005 per 1k requests
    
        - GET, SELECT, and all other requests
          Monthly cost depends on usage
            -$0.0004 per 1k requests
    
        - Select data scanned
          Monthly cost depends on usage
            -$0.002 per GB
    
        - Select data returned
          Monthly cost depends on usage
            -$0.0007 per GB

Monthly cost change for binbashar/le-tf-infra-aws/security/us-east-2/security-audit (Module path: security/us-east-2/security-audit)
Amount:  $0.00 ($0.00 → $0.00)

──────────────────────────────────
Key: * usage cost, ~ changed, + added, - removed
131 projects have no cost estimate changes.
Run the following command to see their breakdown: infracost breakdown --path=/path/to/code

──────────────────────────────────
*Usage costs can be estimated by updating Infracost Cloud settings, see docs for other options.

2523 cloud resources were detected:
∙ 592 were estimated
∙ 1822 were free
∙ 109 are not supported yet, see https://infracost.io/requested-resources:
  ∙ 37 x aws_identitystore_group_membership
  ∙ 33 x aws_identitystore_user
  ∙ 10 x aws_guardduty_member
  ∙ 7 x aws_identitystore_group
  ∙ 5 x aws_fms_policy
  ∙ 4 x aws_guardduty_detector
  ∙ 2 x aws_guardduty_organization_admin_account
  ∙ 2 x aws_guardduty_organization_configuration
  ∙ 2 x aws_organizations_delegated_administrator
  ∙ 1 x aws_cloudtrail_organization_delegated_admin_account
  ∙ 1 x aws_eks_access_entry
  ∙ 1 x aws_fms_admin_account
  ∙ 1 x aws_organizations_organization
  ∙ 1 x aws_route53_resolver_firewall_domain_list
  ∙ 1 x aws_route53_resolver_firewall_rule
  ∙ 1 x aws_route53_resolver_firewall_rule_group

_{This comment will be updated when code changes.}