Comment on page
🏗
Cloudtrail logs
We can provide you with a variety of AWS related detections and investigation tools out of the box. The CloudTrail SIEM can:
- 1.Ingest and index logs for search.
- 2.Understand how your AWS environment is being used.
- 3.Generate least privilege AWS access policies.
We consume your CloudTrail logs by receiving them in our S3 bucket.
First, let us know we'll be receiving your CloudTrail logs by telling us which AWS accounts you'll be sending CloudTrail logs from using the following command:
$ runreveal sources cloudtrail add -a 012345678901,012345678902
Next, there's only 1 step in the AWS Console, and then you're setup! 🎉 Incredible right? Imagine what you could do with all the additional time you have now. Maybe start a new hobby?
The following change can also be made with Terraform, Pulumi, or other configuration management tools.
- Give your trail a name.
runrevealas a name works great! - Select
Use Existing S3 Bucketand setrunrevealas the trail log bucket name. - Disable SSE-KMS encryption. This is *required* for the simple setup. Encryption is something we can support at the enterprise tier.
We also support consuming CloudTrail logs using the S3 SNS notification delivery log.
First, run this command passing in the name of the bucket containing your CloudTrail logs:
$ runreveal sources cloudtrail add -b YOUR_BUCKET_NAME
Then, follow this guide to configure the SNS notifications and IAM permissions for your S3 bucket containing your CloudTrail logs: Logs in Amazon S3
Last modified 4mo ago