Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=CloudTrailScript

AWS CloudTrail integration script

DeprecatedAPI Public Cloud

  • AWS integration update

    This AWS integration will be retired in the future and should no longer be used. We recommend that you migrate to Sophos Cloud Optix to take advantage of its advanced capabilities.

    Use Sophos Cloud Optix to integrate AWS to Sophos Central. For more information, see Sophos Cloud Optix.

You must have the Public Cloud integrations license pack to use this feature.

To integrate AWS CloudTrail logs with Sophos Central, you download a customized script and run it using AWS CLI or AWS CloudShell.

The script uses the following variables.

Variable Description Value
MANAGE_ACCOUNT_TOKEN Access token used to add or delete requests. Randomly generated for customer.
SEND_DATA_TOKEN Access token used to send data. Randomly generated for customer.
EXTERNAL_ID External ID for trust relationship between Sophos AWS account and SophosCloudtrailRole role created by Sophos in customer environment. Randomly generated for customer.
SETUP_TYPE Specifies whether customer is using AWS Organizations or an ordinary account. ORGANIZATION or ACCOUNT
CLOUDTRAIL_S3_RETENTION How long data in CloudTrail S3 bucket is kept. Default is 365 days.
AWS_DEFAULT_REGION Default region for creation and use of AWS resources. Variable only used if you don't select a region.
BASE_URL URL of appliance. Data from the customer's environment is pushed to this location. https://http-collector.cloudstation.eu-west-1.dev.hydra.sophos.com.
USE_EXISTING_TRAIL_SETUP Use existing trail bucket setup or create a new one. Variable only used if option selected. It is then set to true.
CLOUDTRAIL_BUCKET_NAME Name of S3 bucket if an existing setup is used. Variable only used if USE_EXISTING_TRAIL_SETUP=true.
CLOUDTRAIL_BUCKET_FOLDER Name of S3 bucket folder if an existing setup is used. Variable only used if USE_EXISTING_TRAIL_SETUP=true.
CLOUDTRAIL_SNS_TOPIC Name of SNS topic if an existing setup is used. Variable only used if USE_EXISTING_TRAIL_SETUP=true.
TARGET_ACCOUNT Account ID of Sophos account that reads the CloudTrail S3 bucket. Used to set up trust relationship. Value created by Sophos.