❗Before you're able to configure AWS CloudTrail integration, you should follow the steps to set-up the overall AWS integration first. Please see our AWS guide here.
Introduction
Using the one connector to AWS gives you the flexibility to extend access to any of the products that sit within the AWS family. We have a number of off-the-shelf checks for AWS CloudTrail and have listed the most common checks and permissions below. We also build configured and custom checks that are tailored to our clients - if you have a requirement that is not satisfied by the checks below, please reach out to your implementation lead!
At least one CloudTrail trail should be enabled
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus"
],
"Resource": "*"
}
]
}
CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "cloudtrail:DescribeTrails",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudtrail:GetTrailStatus",
"cloudtrail:GetEventSelectors"
],
"Resource": [
"arn:aws:cloudtrail:*:ACCOUNT_ID:trail/*"
]
}
]
}
CloudTrail should have encryption at-rest enabled
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "cloudtrail:DescribeTrails",
"Resource": "*"
}
]
}
CloudTrail log file validation should be enabled
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "cloudtrail:DescribeTrails",
"Resource": "*"
}
]
}
CloudTrail trails should be integrated with Amazon CloudWatch Logs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "cloudtrail:DescribeTrails",
"Resource": "*"
}
]
}