Skip to content

Use an organization trail

You can use an AWS SNS topic to add the AWS accounts in an organization trail to Sophos Cloud Optix.

Note

Use these instructions only if you're using AWS Organizations with an organization trail and your organization trail is owned by an AWS account other than your management account.

You can do as follows:

  • Create and configure an SNS topic.
  • Configure your S3 bucket to send notifications to the SNS topic.
  • Add the AWS account that owns the organization trail to Sophos Cloud Optix.
  • Add each AWS account that sends its CloudTrail events to the account you just added.

Create and configure the SNS topic

Before you begin, you must identify the S3 bucket that stores your organization trail files.

To create and configure the SNS topic, do as follows:

  1. Sign in to Amazon SNS console.

  2. Create an SNS topic.

    The topic must be in the same region as the S3 bucket that receives your organization trail files.

  3. Copy the S3 bucket name and the SNS topic name to use later.

  4. Click Access policy and use the JSON editor to configure the access policy as follows:

    1. In the Resource field, replace SNS ARN with your SNS Amazon Resource Name (ARN).
    2. In the AWS:SourceArn field, replace BUCKET ARN with your CloudTrail S3 bucket ARN.

Here's an example:

        {
            "Version": "2012-10-17",
            "Statement": [
            {
            "Sid": "OptixSNSpermission20150201",
            "Effect": "Allow",
            "Principal": {
            "Service": "s3.amazonaws.com"
            },
            "Action": "SNS:Publish",
            "Resource": "${SNS ARN}",
            "Condition": {
                "StringEquals": {
                "AWS:SourceArn": "${BUCKET ARN}"
                }
            }
            }
            ]
        }

Configure S3 bucket notifications

To configure your S3 bucket notifications to use the new SNS topic, do as follows:

  1. In AWS, go to your S3 bucket.
  2. Click Properties and go to Event notifications.

  3. Check that you don't have any existing notifications set for CloudTrail create events.

    If you do, you must remove them and create a new notification.

  4. Click Create event notification.

  5. Enter a name for the event notification.
  6. Enter .gz as the Suffix.
  7. Turn on All object create events.
  8. In Destination, click the SNS topic.

  9. Enter the name of the SNS topic you created earlier.

    Here's an example labeled with the step numbers:

    Fields to edit when creating the event notification.

  10. Click Save changes.

Add AWS account to Sophos Cloud Optix

To add the AWS account that owns the organization trail to Sophos Cloud Optix, do as follows:

  1. Sign in to your Sophos Cloud Optix.
  2. Click Add Environments then click AWS.
  3. Click Choose a full setup option.
  4. Click AWS CloudShell or CLI (Linux and Mac only) or the relevant Go button.
  5. Select Customize your setup and click Continue.
  6. In CloudTrail Logs Setup Options, set Export CloudTrail logs to Cloud Optix to Yes.
  7. In Create new resources or use existing infrastructure, select Use existing resources.

  8. Enter your SNS and S3 bucket details.

    You must leave the S3 bucket Prefix (optional) field empty.

  9. Click Continue.

  10. Follow the on-screen instructions to add your AWS account to Sophos Cloud Optix.

    The assistant creates your script and other commands. After the script finishes, you'll see the message: All steps done!.

  11. If there are no errors, click Finish.

Check that the AWS account appears in Environments before you continue adding other AWS accounts.

Add other AWS accounts

You must now add all the AWS accounts that send CloudTrail events to the account you just added to Sophos Cloud Optix.

For each account, do as follows:

  1. Sign in to your Sophos Cloud Optix.
  2. Click Add Environments then click AWS.
  3. Click Choose a full setup option.
  4. Click AWS CloudShell or CLI (Linux and Mac only) or the relevant Go button.
  5. Select Customize your setup and click Continue.
  6. In CloudTrail Logs Setup Options, set Export CloudTrail logs to Cloud Optix to No.
  7. Click Continue.

  8. Finish the Add your AWS Environment assistant.

    You can set the rest of the options according to your needs.

  9. Click Continue.

  10. Follow the on-screen instructions to add your AWS account to Sophos Cloud Optix.

    The assistant creates your script and other commands. After the script finishes, you'll see the message: All steps done!.

  11. If there are no errors, click Finish.

The AWS accounts are added and appear in Environments.