Add AWS environments using an existing AWS CloudTrail

You can use an existing CloudTrail when you add an AWS environment.

You can set up a new CloudTrail when you add an AWS environment to Sophos Cloud Optix. If you want to use an existing CloudTrail, you must configure it.

To check and configure your trail, do as follows:

Review your trail
  1. In AWS, go to your CloudTrail dashboard and copy your export bucket name.

    This is used to configure the SNS topic and used in Sophos Cloud Optix later.

  2. You can also copy the bucket prefix to use later. Bucket prefixes are optional, see step 5 in Creating a Trail for more detail.

    This example shows how to select the bucket name and bucket prefix.

    Screenshot showing sections of CloudTrail location to copy for bucket name and prefix in Optix
Configure SNS topic and access policy
  1. In AWS, create an SNS topic in same region where your S3 bucket is used to export CloudTrail, or edit an existing SNS topic.
  2. Copy the name of this SNS topic.
  3. In the JSON editor, specify the access policy as follows:
    1. Replace the Resource value with the SNS ARN you are using.
    2. Replace the bucket name in Condition with the CloudTrail bucket name you copied earlier.

      Here's an example.

      Screenshot showing SNS topic JSON editor with lines to be customized
      In AWS the access policy is shown as optional, but it isn't optional with Sophos Cloud Optix. It is required to set up S3 bucket notifications.
  4. Save the SNS topic.
Configure S3 bucket notifications
  1. In AWS, go to your S3 bucket.
  2. To set up a new notification event, select Properties > Events > Add notification.
    1. Check that you don't have any existing notifications set on CloudTrail create events.
  3. Enter a name for the notification event.
  4. Select All object create events.
  5. Enter : json.gz as the Suffix value.
  6. To create your Prefix value, enter the bucket prefix you copied earlier, then /AWSLogs/, then your account ID, then /CloudTrail/.

    The format must be: <Bucket prefix>/AWSLogs/<AccountId>/Cloudtrail/

    If you are using an AWS Organizations managed CloudTrail, or you are exporting CloudTrails from multiple accounts into a single account. In those cases you must create a separate event for each account ID.

  7. Set Send to to SNS and use the name of the SNS topic you created earlier. Here's an example.

    Screenshot showing Events menu settings
  8. Click Save.

Success notifications now appear in your S3 bucket properties.

Go to Sophos Cloud Optix and continue with the Add your AWS environment assistant.