Skip to content

Use an existing AWS CloudTrail

If you want to add an AWS environment to Sophos Cloud Optix using an existing CloudTrail, not a new one, you must configure it first.

To check and configure your trail, do as follows.

Review your trail

  1. In AWS, go to your CloudTrail dashboard and copy your export bucket name.

    This is used to configure the SNS topic and used in Sophos Cloud Optix later.

  2. You can also copy the S3 bucket prefix to use later. Bucket prefixes are optional.

    For more detail on S3 bucket prefixes, see the steps on creating a new bucket in Creating a Trail.

    This example shows how to select the bucket name and bucket prefix.

    Screenshot showing sections of CloudTrail location to copy for bucket name and prefix in Optix.

Configure SNS topic and access policy

  1. In AWS, create an SNS topic in the same region where your S3 bucket is used to export CloudTrail, or edit an existing SNS topic.
  2. Copy the name of this SNS topic.

  3. In the JSON editor, specify the access policy as follows:

    1. Copy the following JSON code

      {
    "Version": "2012-10-17",
    "Statement": [
    {
        "Sid": "__default_statement_ID",
        "Effect": "Allow",
        "Principal": {
            "Service": "s3.amazonaws.com"
        },
        "Action": [
            "SNS:Publish"
        ],
        "Resource": "arn:aws:sns:us-west-1:%ACCOUNT_ID%:%SNS_TOPIC_NAME%",
        "Condition": {
            "StringEquals": {
                "AWS:SourceArn": "arn:aws:s3:::%S3_BUCKET_NAME%"
            }
        }
    }
    ]
}

    2. Replace the Resource value with the SNS ARN you are using.

    3. Replace the bucket name in Condition with the CloudTrail bucket name you copied earlier.

      Here's an example.

      Screenshot showing SNS topic JSON editor with lines to be customized.

      In AWS the access policy is shown as optional, but it isn't optional with Sophos Cloud Optix. It is required to set up S3 bucket notifications.

  4. Save the SNS topic.

Configure S3 bucket notifications

  1. In AWS, go to your S3 bucket.
  2. To set up a new notification event, select Properties > Events > Add notification.
  3. Check that you don't have any existing notifications set on CloudTrail create events.
  4. Enter a name for the notification event.
  5. Select All object create events.
  6. Enter : json.gz as the Suffix value.

  7. To create your Prefix value, enter the bucket prefix you copied earlier, then /AWSLogs/, then your account ID, then /CloudTrail/.

    The format must be: <Bucket prefix>/AWSLogs/<AccountId>/CloudTrail/

    If you are using an AWS Organizations managed CloudTrail, or you are exporting CloudTrails from multiple accounts into a single account, you must leave the prefix blank, or create a separate event for each account ID.

  8. Set Send to to SNS and use the name of the SNS topic you created earlier. Here's an example.

    Screenshot showing Events menu settings.

  9. Click Save.

Success notifications now appear in your S3 bucket properties.

Go to Sophos Cloud Optix and continue with the Add your AWS environment assistant.