Source Onboard Prerequisites
AWS Cloudtrail
To onboard any use case relying over AWS Cloudtrail data as a source, we need to configure the source via Use case page itself. However before moving on to the source onboarding flow we need to have some prerequisites information handy.
Since, AWS Cloudtrail data is populated at a S3 Bucket we need to pull that data through SQS from the cloud. To achieve this data flow we need to create resources like SQS, SNS, Roles & Policies on the AWS Cloud.
Prerequisites:
IAM User creation on the AWS account that needs to be onboarded.
AWS Cloudtrail Integration Connection
S3 ARN for bucket having Cloudtrail data
IAM User creation
A User needs to be created on the AWS account that needs to be onboarded with following policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sns:TagResource",
"iam:GetRole",
"sqs:ChangeMessageVisibility",
"sns:GetTopicAttributes",
"sns:DeleteTopic",
"iam:TagRole",
"sns:CreateTopic",
"sns:Unsubscribe",
"iam:CreateRole",
"iam:DeleteRole",
"sns:SetTopicAttributes",
"sqs:GetQueueAttributes",
"iam:PutRolePolicy",
"cloudformation:DescribeStacks",
"sqs:TagQueue",
"cloudformation:CreateStack",
"iam:DeleteRolePolicy",
"sqs:DeleteQueue",
"sns:Subscribe",
"sqs:CreateQueue",
"sqs:SetQueueAttributes",
"cloudtrail:DescribeTrails",
"s3:PutBucketNotification"
],
"Resource": "*"
}
]
}
AWS Cloudtrail Integration Connection
If you haven’t created any Integration connection yet, you can create it during onboarding process itself by selecting "New Connection" in the drop down of "Connection to AWS". An Integration connection creation form will be opened which needs to be filled.
Label
: Name to be given to the Integration connectionAccess Key
: AWS Access Key of the IAM User created previously.Secret Key
: AWS Secret Key of the IAM User created previously.Region
: AWS Region of the S3 Bucket having cloudtrail data.
S3 ARN for Cloudtrail Bucket
To get the ARN of the S3 Bucket:
Go to S3
Click on your cloudtrail bucket
Go to Properties Tab
In the Bucket Overview section, Amazon Resource Name (ARN) will be present.
Take a note of this ARN, and provide this detail during the source onboarding process.
Note : Make sure the S3 bucket you are using is not having any existingEvent notifications
setup. This may lead to failure as multiple event notification are not allowed on overlapping prefixes by AWS.