AWS CloudTrail

AWS CloudTrail monitors AWS account activity, and publishes the logs to a specified S3 bucket. Send the logs to Observe using the Observe Lambda forwarder.

Note

CloudTrail ingest is a component of the Observe AWS integration. If you have installed this integration, you do not need to configure CloudTrail ingest separately.

Creating a new Trail

  1. Navigate to the CloudTrail console

  2. Click Create Trail

  3. Configure the Trail attributes with the settings below:

    Trail name

    A name for the new Trail, following the AWS CloudTrail Trail Naming Requirements

    Storage location

    The bucket to log to, either new or existing. If you choose an existing bucket, its policy must grant CloudTrail permission to write to it.

    Log file SSE-KMS Encryption

    Uncheck to disable

    Log file validation

    Enabled

    SNS notification delivery

    Disabled

    CloudWatch Logs

    Optional

    Tags

    Optional

  4. Click Next to choose the type of events you want to send to Observe.

    Warning

    For Data events, ensure you only select Write events. Selecting Read events causes the Lambda forwarder to trigger on its Read events, resulting in an endless read/write loop.

  5. Click Next to review your configuration, then Create Trail to save.

For more about configuring CloudTrail, see Creating a trail in the AWS CloudTrail documentation. If you want to use SNS, please see the CloudTrail documentation for more information.

Installing the Lambda forwarder

If needed, install the Observe Lambda forwarder following the instructions in the documentation. If you currently use the Lambda forwarder for another source, you do not need to install it again.

Adding a Lambda trigger for the bucket

In the AWS Lambda Console:

  1. Navigate to Functions.

  2. Select the observe-lambda function.

  3. Select Add Trigger.

  4. Select S3 from the list.

  5. Configure the trigger with the settings below:

    Bucket

    The name of the CloudTrail bucket

    Event Type

    All object create events

    Prefix

    Optional

    Suffix

    Optional

  6. Click Add to create the trigger.

For additional details about Lambda and S3, see Using AWS Lambda with Amazon S3 in the AWS documentation. Note that an S3 bucket may only have one trigger of each type.If you have more than one trigger, you may wish to use a new bucket.

For more about which AWS services send events to CloudTrail, see CloudTrail Supported Services and Integrations.