Teleport Cloud Audit Logs
These logs are emitted by Teleport Cloud to an S3 bucket and it's worth noting that the setup process on the teleport cloud side is slightly unique compared to other providers. They will ask you to run several commands in AWS Cloud Shell to instantiate a collection of teleport buckets.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
If using the AWS External Audit Storage
method for sending Teleport logs to AWS perform the necessary setup first before finishing the RunReveal ingestion steps.
If using an AWS S3 bucket, use the following SNS topic ARN to send your bucket notifications.
arn:aws:sns:<REGION>:253602268883:runreveal_teleport
Setup
Teleport offers first party support for sending events to AWS. Otherwise you will need to setup your Teleport account to forward events to your cloud storage account most likely using their fluentd guide (opens in a new tab).
AWS External Audit Storage
At the end of the process you should be have a new bucket called something like:
xxxxxxxx-longterm-zzzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
This is the bucket you'll provide RunReveal with access to.
Their docs are available online (opens in a new tab), but under Enroll New Integration, you'll need to set up a next AWS External Audit Storage integration.
As part of the setup process, you'll provide teleport with a name for your integration, the iam role name you'd like for teleport to create, the bucket name you'd like teleport to create, and the bucket prefix.
Once you provide these bits of information, you'll be given a Amazon CloudShell command to run. This will create the role and the bucket within your AWS account. Once you provide teleport with your role's name, including the AWS account ID.
Once you provide teleport with this information they will ask you to continue with the integration by running an Amazon CloudShell command one final time to provision your buckets, and finally test the connection.