Skip to main content

How to Integrate AWS CloudTrail

In this guide, we'll give you all the steps you need to integrate AWS CloudTrail with the Defense.com SIEM platform.

Kara Crimson avatar
Written by Kara Crimson
Updated over 2 weeks ago

Creating an S3 Bucket

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/

  2. Click Create bucket.

  3. In Region, choose the AWS Region where you want the bucket to reside.

  4. Under Object Ownership, select ACLs disabled.

  5. In Block Public Access settings for this bucket, select Block all public access.

  6. Leave the remaining settings as default and click Create Bucket.

  7. Make a note of the ARN of the new S3 bucket, as this will be required later.

Creating an IAM Role

  1. Type IAM in the search bar at the top of the AWS console and select IAM from the search results.

  2. In the IAM view, click on the section named Roles in the left-hand toolbar.

  3. Click Create role.

  4. On the Create role page, select the entity type AWS account.

  5. Under An AWS account, click the checkbox marked Another AWS account and enter the Account ID: 653730588838.

  6. In the Options, select Require external ID, then in the External ID box, enter a random string of letters and numbers. Please do not include any special characters. Make a note of the External ID, as this will be required later.

  7. Click “Next” and you’ll be taken to the Add permissions page.

  8. Select the permissions AmazonSQSFullAccess and AmazonS3ReadOnlyAccess, then click Next.

  9. Give the role a name (we recommend DefenseAssumedRole), then click Create role in the bottom right corner.

  10. Once the role is created, you’ll see a View Role option in a green bar at the top of the page. Click on this, then click on Edit in the Summary section of the next page.

  11. Change the value of Maximum session duration to 12 hours and click Save changes.

  12. Make a note of the ARN of this role, as it will be required later

CloudTrail setup

  1. Type Cloudtrail in the search bar at the top of the AWS console and select Cloudtrail from the search results.

  2. Click Create trail

  3. Name the trail Defensecom-Logs. By default, logs will be collected for multiple regions.

  4. Under Storage location, select the Use existing S3 bucket option and enter your S3 bucket name and details.

  5. Disable Log file SSE-KMS encryption unless you would like to configure this; it is not required.

  6. Make sure Log file validation under Additional settings is enabled. Leave the rest of the options as their default and click Next.

  7. In Management events, select the events you’d like to be logged. Please be aware that if this is your first trail, you won’t be charged by AWS for selecting both read and write, but you will be charged if you already have a trail exporting management events.

  8. You can also configure CloudTrail to send Data and Insight events on this page. Please be aware that AWS charges for these types of events.

  9. Once you’re done, click Next, review the details, then click Create trail.

SQS Queue Setup

Each S3 bucket will require its own SQS Queue.

  1. Type SQS in the search bar at the top of the AWS console and select Simple Queue Service from the search results.

  2. Click Create queue.

  3. Name the queue after the service you will be logging to it.

  4. Under Access policy, select Advanced, then copy the code below into the text box and replace the text in bold with the relevant names

    {

    "Version": "2012-10-17",

    "Id": "__default_policy_ID",

    "Statement": [

    {

    "Sid": "__owner_statement",

    "Effect": "Allow",

    "Principal": {

    "AWS": "arn:aws:iam::your-aws-account-id:root"

    },

    "Action": "SQS:*",

    "Resource": "your-sqs-queue-arn"

    },

    {

    "Sid": "__sender_statement",

    "Effect": "Allow",

    "Principal": {

    "Service": "s3.amazonaws.com"

    },

    "Action": "SQS:SendMessage",

    "Resource": "your-sqs-queue-arn",

    "Condition": {

    "StringEquals": {

    "aws:SourceAccount": "your-aws-account-id"

    },

    "ArnLike": {

    "aws:SourceArn": "your-s3-bucket-arn"

    }

    }

    },

    {

    "Sid": "__receiver_statement",

    "Effect": "Allow",

    "Principal": {

    "AWS": "the-arn-of-the-role-we-asked-you-to-create"

    },

    "Action": [

    "SQS:ChangeMessageVisibility",

    "SQS:DeleteMessage",

    "SQS:ReceiveMessage"

    ],

    "Resource": "your-sqs-queue-arn"

    }

    ]

    }

  5. Leave the rest of the settings as their defaults, then click Create queue.

S3 setup

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/ and select the S3 bucket you set up earlier.

  2. Go to the Properties tab, scroll down until you find Event notifications and click Create event notification.

  3. Give the event an identifiable name, for example, cloudtrail-logs.

  4. In the Event Types section, we recommend logging All object create events.

  5. In the Destination section, select the SQS queue you created earlier, then Save changes.

  6. To test that this has worked, upload any file to the S3 bucket, then go to the SQS queue and select the Monitoring tab. Please give a few minutes to see the message come through.

What we need from you

Once you've completed the above, please provide us with the following information via a support ticket:

  • The AWS Region of the SQS Queue

  • The ARN of the SQS Queue

  • The ARN of the Role we asked you to create

  • The External ID of the Role

And that's it! You've successfully integrated AWS CloudTrail 🎉

Did this answer your question?