Skip to content
Find out how we support MDR.

Integrate an existing AWS CloudTrail

You must have the Public Cloud integrations license pack to use this feature.

If you want to integrate an existing AWS CloudTrail with Sophos Central, you must configure it first.

To check and configure your trail, do as follows.

Review your trail

  1. In AWS, go to your CloudTrail dashboard and copy your export bucket name.

    This is used to configure the SNS topic and is used in Sophos Central later.

  2. You can also copy the S3 bucket prefix to use later. Bucket prefixes are optional.

    For more detail on S3 bucket prefixes, see the steps on creating a new bucket in Amazon's help. See Creating a Trail.

    The following screenshot shows how to select the bucket name and bucket prefix.

    Screenshot showing sections of CloudTrail location to copy for bucket name and prefix.

Configure SNS topic and access policy

  1. In AWS, create an SNS topic in the same region where your S3 bucket is used to export CloudTrail, or edit an existing SNS topic.
  2. Copy the name of this SNS topic.
  3. In the JSON editor, specify the access policy as follows:

    1. Replace the Resource value with the SNS ARN you are using.
    2. Replace the bucket name in Condition with the CloudTrail bucket name you copied earlier.

      The following screenshot shows an SNS topic JSON editor with the lines to be customized.

      Screenshot showing SNS topic JSON editor with lines to be customized.

      In AWS the access policy is shown as optional, but it isn't optional with Sophos Central. It is required to set up S3 bucket notifications.

  4. Save the SNS topic.

Configure S3 bucket notifications

  1. In AWS, go to your S3 bucket.
  2. To set up a new notification event, select Properties > Events > Add notification.
  3. Check that you don't have any existing notifications set on CloudTrail create events.
  4. Enter a name for the notification event.
  5. Select All object create events.
  6. Enter : json.gz as the Suffix value.
  7. To create your Prefix value, enter the bucket prefix you copied earlier, then /AWSLogs/, then your account ID, then /CloudTrail/.

    The format must be: <Bucket prefix>/AWSLogs/<AccountId>/Cloudtrail/

    If you're using an AWS Organizations managed CloudTrail, or you're exporting CloudTrails from multiple accounts into a single account, you must create a separate event for each account ID.

  8. Set Send to to SNS and use the name of the SNS topic you created earlier.

    The following screenshot shows the Events menu settings.

    Screenshot showing Events menu settings.

  9. Click Save.

    Success notifications now appear in your S3 bucket properties.

Go to Sophos Central and continue integrating your AWS CloudTrail.