CloudTrail ingest is a component of the Observe AWS integration. If you have installed this integration, you do not need to configure CloudTrail ingest separately.
Create a new Trail¶
Navigate to the CloudTrail console
Click Create Trail
Configure the Trail attributes with the settings below:
A name for the new Trail, following the AWS CloudTrail Trail Naming Requirements
The bucket to log to, either new or existing. If you choose an existing bucket, its policy must grant CloudTrail permission to write to it.
Log file SSE-KMS Encryption
Uncheck to disable
Log file validation
SNS notification delivery
Click Next to choose the type of events you would like to send to Observe.
For Data events, ensure you only select Write events. Selecting Read events causes the Lambda forwarder to trigger on its own Read events, resulting in an endless read/write loop.
Click Next to review your configuration, then Create Trail to save.
For more about configuring CloudTrail, see Creating a trail in the AWS CloudTrail documentation. If you would like to use SNS, please see the CloudTrail documentation for more information.
Install the Lambda forwarder¶
If needed, install the Observe Lambda forwarder following the instructions in its documentation. If you are already using the Lambda forwarder for another source, you do not need to install it again.
Add a Lambda trigger for the bucket¶
In the AWS Lambda Console:
Navigate to Functions
Select the observe-lambda function
Select Add Trigger
Select S3 from the list
Configure the trigger with the settings below:
The name of the CloudTrail bucket
All object create events
Click Add to create the trigger.
For additional details about Lambda and S3, see Using AWS Lambda with Amazon S3 in the AWS documentation. Note that an S3 bucket may only have one trigger of each type. If this is an issue, you may wish to use a new bucket.
For more about which AWS services send events to CloudTrail, see CloudTrail Supported Services and Integrations.