# AWS CloudTrail
In this guide, you will configure AWS CloudTrail to forward events and alerts to Radiant Security. CloudTrail logs API activity across your AWS environment.
This guide assumes a clean slate: the service is currently not enabled. If your environment already uses CloudTrail, you can skip some steps. However, make sure to review all **Important note** callouts to ensure your configuration meets Radiant’s integration requirements.
{% hint style="warning" %}
**Important note:** These highlight important configuration details necessary for the setup to function properly. Adjust your environment accordingly.
{% endhint %}
### Prerequisites
This configuration requires the following:
* [ ] AWS user permissions to create and update the following resources: IAM, CloudTrail, SNS, and KMS
* [ ] Group all CloudTrail Logs into one account for event collection
### Configuration in AWS
Before [configuring the connector on the Radiant Security](#create-the-credentials-and-enable-the-data-connector) app, you must set up CloudTrail and create an IAM Role on AWS.
### **Create and configure AWS CloudTrail**
Amazon CloudTrail is a service provided by AWS that allows you to enable logging of AWS API calls. This is useful for auditing, compliance, and security purposes. Below are the general steps for creating and configuring AWS CloudTrail.
{% hint style="info" %}
**Note**: The ARN of S3, SNS, and KMS (if enabled) will be used when configuring the IAM role and the Radiant Security connector. Be sure to copy and store those values.
{% endhint %}
{% hint style="info" %}
**Note**: You need to perform this step using the **Management Account** for the AWS Organizations or use an account that is **Delegated Administrator for AWS Organizations.** Otherwise the checkbox **Enable for all accounts in my organization** won't be available.
{% endhint %}
1. Sign in to the **AWS Management Console**.
2. Navigate to **CloudTrail**.
3. On the CloudTrail service home page, select **Create trail.**
4. In the **Choose trail attributes** page, configure the trail with the following required settings:
* Enter a name for your trail. We suggest `management-events`.
* Select the **Enable for all accounts in my organization** checkbox. This will gather logs from all accounts. This option is available only to administrator accounts.
* For **Storage location**, choose where to store the logs. You can create a new S3 bucket or use an existing bucket.
* Optionally, if you'd like to enable log encryption select the checkbox for **Log file SSE-KMS encryption**. Choose to set a **New** KMS alias. We suggest naming it: `cloudtrail-log-encryption`.
* Under **Additional** **settings**, enable the **SNS** notification delivery by selecting the checkbox. Choose to use a **New** **SNS**.
{% hint style="warning" %}
**Important note**: Ensure that the checkbox titled **Enable for all accounts in my organization** is selected and enabled. If you choose to use an existing S3 bucket, KMS or SNS topic, make sure that they have the correct policies set to allow CloudTrail to perform necessary actions such as encrypting S3 files and publishing to the SNS topic.
By creating those resources during this configuration, AWS will take care of those permissions.
{% endhint %}
5. Now, you'll need to configure the log events:
* On the **Choose log events** page, under **Events** select the **Management events** and **Data events** checkboxes. While selecting **Data events** is optional, we recommend enabling it to improve RCA/Investigation.
* For **Management events,** under **API activity** select the **Read** and **Write** checkboxes.
* For **Data events,** Under **Data event type** select **S3** from the drop-down. In the **Log selector template** select **Log all events** from the drop-down. Alternatively, you can select the specific events from S3 you want to monitor.
6. Review the settings you've chosen for your trail. When you're ready to create your trail, click **Create trail.**
{% hint style="success" %}
**Tip:** For more details on how to create a trail, you can review the AWS documentation on [creating a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html).
{% endhint %}
### **Create the credentials and enable the data connector**
Next, you'll add the necessary credentials and enable the AWS data connector so that Radiant Security can automatically subscribe to the SNS topic and collect the CloudTrail. The following steps outline how to add the credentials and enable the data connector.
1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. Navigate to **Settings** on the sidebar.
3. From the navigation menu, click **Settings** > **Services** > **Credentials**.
4. Click **+** **Add Credential**.
5. From the list of credentials, select **Amazon Web Services** and click **Credentials**.
6. Enter a **Credential Name** and fill in all of the fields with the respective values. Add the following values you saved from the previous steps:
* **SNS Topic Name for CloudTrail**
7. Return to the **Settings** page and click **Data Connectors**.
8. Click **+ Add Connector**.
9. Search for and select the **Amazon Web Services** option and then click **Data** **Feeds**.
10. Select **Amazon Web Services CloudTrail.**
11. Select the credentials of this vendor from the drop-down.
12. Click **Add** **Connector** to save the connector.
13. Return to the **Settings** page. In **Data Connectors**, search for **Amazon Web Services**.
14. Click **View Details** and copy the **AWS External Role ID**. You'll use this value for the creation of the IAM role in the upcoming steps.
{% hint style="info" %}
**Note:** Save the **AWS External Role ID** to use in the upcoming steps for IAM roles. You'll replace the variable **${RS\_CREDENTIAL\_ID}** on the Custom trust policy with this ID.
{% endhint %}
### Create and configure the IAM roles
Finally, you’ll create and configure an Identity and Access Management (IAM) role in AWS roles to grant permissions to Radiant Security to access AWS resources. The following steps outline how to create and configure an IAM role.
{% hint style="info" %}
**Note:** The main account role must be configured on the account that will centralize the logs.
{% endhint %}
{% hint style="info" %}
**Note:** Only add the KMS keys used for encryption in the last part. We must remove the last object if we do not use any KMS in the resources.
{% endhint %}
{% hint style="info" %}
**Note:** For each account grouped under this main account, you must create and add an Arn Role to the last statement. Instructions for creating these roles are described in the next step [Create and configure an IAM Role (Other accounts)](https://help.radiantsecurity.ai/set-up-aws-connectors#other-accounts).
{% endhint %}
1. Sign in to the **AWS Management Console** on the main account.
2. Navigate to **IAM**.
3. Select **Policies** and click **Create Policy**.
4. For **Specify Permission**, select the JSON format and use the JSON below:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListAndGetAllLogFiles",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
]
},
{
"Sid": "AllowManagingSNSTopicSubscriptions",
"Effect": "Allow",
"Action": [
"sns:Subscribe",
"sns:Unsubscribe",
"sns:ConfirmSubscription"
],
"Resource": [
"arn:aws:sns:${REGION}:${AWS_ACCOUNT_ID}:${SNS_NAME_CLOUD_TRAIL}",
]
},
{
"Sid": "EnableCrossAccountLogDecryption",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:${REGION}:${AWS_ACCOUNT_ID}:key/${KMS_KEY_CLOUD_TRAIL}",
]
},
{
"Sid": "AllowAssumeARoleInAnotherOrganizationAccount",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ROLES_NAME}",
...,
...
]
},
{
"Sid": "Statement5",
"Effect": "Allow",
"Action": [
"organizations:ListPolicies",
"organizations:DescribePolicy",
"organizations:ListPoliciesForTarget",
"organizations:DescribeResourcePolicy",
"organizations:DescribeOrganization"
],
"Resource": [
"*"
]
}
]
}
```
{% hint style="warning" %}
**Important Note:** Replace all the variables with the ARN values that you copied and saved throughout the onboarding.
{% endhint %}
5. Enter a **Policy name,** review the settings, and create the policy.
6. On the **Roles** page, and click **Create role**.
7. On the **Select trusted entity** page, select the following:
* For **Trusted entity type**, select **Custom trust policy** to allow Radiant Security to use this role to access the account.
* For **Custom trust policy**, in the text box, add the following JSON, making sure to replace `${RS_CREDENTIAL_ID}` with the value provided in Radiant Security connector’s page:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AssumeRadiantSecurity",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::649384204969:assumed-role/tenant-aws-access-role/radiant-security"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "${RS_CREDENTIAL_ID}"
}
}
}
]
}
```
This line: `"AWS": "arn:aws:sts::649384204969:assumed-role/tenant-aws-access-role/radiant-security"` might be highlighted as an error in the AWS console. However, you can still save and use this policy.
8. On the **Add permissions** page, find and select the policy for the role.
9. Set the name to be `radiant-aws-access-role`, review and save the role.
{% hint style="info" %}
**Note:** Our platform enforces that role name. This is for enhanced security.
{% endhint %}
### Permissions
| S3 | s3:Get\* | All | CloudTrail | Allows access to files and information from buckets. |
| --- | ----------------------- | ---- | ---------- | ------------------------------------------------------------ |
| S3 | s3:List\* | All | CloudTrail | Allow a list of all buckets and files. |
| SNS | sns:Subscribe | Main | CloudTrail | Allow our queue to subscribe on SNS. |
| SNS | sns:Unsubscribe | Main | CloudTrail | Allow our queue to unsubscribe on SNS. |
| SNS | sns:ConfirmSubscription | Main | CloudTrail | Allow your system to confirm the subscription. |
| KMS | kms:Decrypt | Main | CloudTrail | Allow to get the key and decrypt log files. |
| STS | sts:AssumeRole | Main | CloudTrail | Allow assuming a role in other accounts in the organization. |
### Verify ingestion
After AWS CloudTrail begins forwarding, confirm events are reaching Radiant.
1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Filter by `rs_connectorType:"aws_cloudtrail"`.
3. Confirm recent alerts and events appear.
{% hint style="info" %}
Allow several minutes for events to be parsed, indexed, and available for search.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/aws-cloudtrail.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.