Help Documentation

Cloud Detection and Response

AWS CloudTrail Event Monitoring

Updated Sep 5, 2023

Configure AWS CloudTrail event monitoring

As part of Configure AWS Account Monitoring, you must configure Amazon Web Services® (AWS) to send AWS CloudTrail events to the Arctic Wolf® cloud monitoring service.

Note: The AWS CloudTrail service monitors all API calls within an AWS account, meaning that you cannot solely monitor individual AWS instances or assets. Therefore, when Arctic Wolf monitors an AWS account using the CloudTrail service, we do not ignore cross-organization, shared, or private information.

If you have multiple AWS accounts that you want Arctic Wolf to monitor, we recommend using AWS Organizations or AWS Control Tower to aggregate all logs to one logging account. In this case, you only need to configure the single logging account to connect to the Arctic Wolf cloud monitoring service. If you do not use AWS Organizations or AWS Control Tower, you must repeat the configuration process for each AWS account that you want Arctic Wolf to monitor. For more information about these options, see the AWS Organizations documentation and AWS Control Tower documentation.

This configuration uses AWS Management Console and AWS CloudFormation to create and manage the resources required to send logs. For more information about these services, see AWS Permissions Grated to Arctic Wolf, the AWS Management Console documentation, and AWS CloudFormation documentation.

Note: Deploying these CloudFormation templates creates resources in your AWS account, and AWS charges you based on resource run time and usage. There is a baseline cost for enabling the service and storing CloudTrail logs in an Amazon Simple Storage Service (S3) bucket. For example, an AWS account with multiple active users may generate around 250,000 CloudTrail events or more per day. With the single free Trail, this level of use adds approximately $10 per AWS account per month in incremental costs.

You can change the CloudFormation settings to reduce AWS costs, such as setting a lower retention period for logs or integrating with a pre-existing Trail. For additional information, contact your Concierge Security® Team (CST).

After you complete this configuration, you can optionally configure additional log collection. See Configure AWS Account Monitoring for all optional configurations.

Before you begin

To complete this process, you must:

Note: You must provide your AWS account number(s) on the Arctic Wolf Portal and ensure that Arctic Wolf has authorized the account(s) for monitoring before you can complete these steps. See Provide AWS Credentials to Arctic Wolf for more information.

CloudTrail monitoring configurations

How you configure AWS CloudTrail monitoring depends on your use case:

Note: Before performing any of these steps, verify that your credentials in the Arctic Wolf Portal are Healthy. See Provide AWS Credentials to Arctic Wolf for more information.

Tip: To determine if you have an existing Trail that you want to dedicate to the Arctic Wolf monitoring service, follow the steps in Identify an existing trail to dedicate to Arctic Wolf monitoring.

Identify an existing trail to dedicate to Arctic Wolf monitoring

  1. Sign in to the AWS Management Console as an administrator.

  2. In the navigation bar, click Services to access the AWS service list, and then type or select CloudTrail from the list.

  3. In the navigation pane, click Trails to review existing Trails for the following settings:

    • Region — All
    • S3 bucket — <The name of a valid S3 bucket in your account>
    • Status — Green status check mark
    • (AWS Organizations only) Apply Trail to my organization — Enabled

    All other settings can have any value.

    Tip: You can modify an existing Trail to match these settings.

Configure CloudTrail monitoring with no existing Trails

To create a new Trail to dedicate to Arctic Wolf monitoring:

  1. Sign in to the AWS Management Console as an administrator.

  2. Navigate to the region that you want to deploy the monitoring from.

    1. In the navigation bar, open the Region list.

      Tip: The Region list is located beside your username.

    2. Select your preferred region.

  3. Use the Services menu or search bar to navigate to the CloudFormation page.

    Tip: In the Services menu, the CloudFormation page is located under the Management & Governance section.

  4. On the CloudFormation page, select Create stack > With new resources (standard).

  5. On the Create Stack page, complete the following actions:

    • Set the Prepare template option to Template is ready.
    • Set the Template Source option to Amazon S3 URL.
    • Copy and paste the appropriate CloudTrail stack link listed under AWS CloudFormation Stack Links in the Arctic Wolf Portal into the Amazon S3 URL text box.
    • Click Next.

  6. Give your stack an appropriate and unique name, such as ArcticWolf.

  7. Under the Parameter section, leave the cloudtrailTrail text box blank. This creates a new Trail.

  8. Click Next to proceed to the Configure stack options page.

  9. (Optional) On the Configure stack options page, add roles, policies, and other configurations, as desired.

  10. Click Next to proceed to the Review page.

  11. On the Review page, read the Capabilities section and select all checkboxes to proceed.

    Note: The stack does not create properly if you do not select all checkboxes.

  12. Click Submit to create the stacks. CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process generally takes 5 to 10 minutes to complete.

  13. Verify that the base stack and all nested stacks have the status CREATE_COMPLETE to confirm that the CloudFormation stacks were successfully created.

  14. Proceed to Subscribe to the Arctic Wolf SNS topic.

Configure CloudTrail monitoring with an existing Trail

To dedicate an existing Trail to Arctic Wolf monitoring:

  1. Sign in to the AWS Management Console as an administrator.

  2. Navigate to the region that you want to deploy the monitoring from.

    1. In the navigation bar, open the Region list.

      Tip: The Region list is located beside your username.

    2. Select your preferred region.

  3. Use the Services menu or search bar to navigate to the CloudFormation page.

    Tip: In the Services menu, the CloudFormation page is located under the Management & Governance section.

  4. On the CloudFormation page, select Create stack > With new resources (standard).

  5. On the Create Stack page, complete the following actions:

    • Set the Prepare template option to Template is ready.
    • Set the Template Source option to Amazon S3 URL.
    • Copy and paste the appropriate CloudTrail stack link listed under AWS CloudFormation Stack Links in the Arctic Wolf Portal into the Amazon S3 URL text box.
    • Click Next.

  6. Give your stack an appropriate and unique name, such as ArcticWolf.

  7. Under the Parameter section, enter the Amazon Resource Name (ARN) of the existing Trail that you want to use for Arctic Wolf in the cloudtrailTrail text box.

Note: The ARN of the CloudTrail can be found in the CloudTrail console. Navigate to the CloudTrail console, and select the existing Trail that you want to use from the Trail list. Above the detail section for that Trail, there is a path similar to CloudTrail > Trail > arn:aws:cloudtrail:us-east-2:12345678910:trail/nameoftrail. Copy the entire ARN starting with arn:aws:cloudtrail.

  1. Click Next to proceed to the Configure stack options page.

  2. (Optional) On the Configure stack options page, add roles, policies, and other configurations, as desired.

  3. Click Next to proceed to the Review page.

  4. On the Review page, read the Capabilities section and select all checkboxes to proceed.

    Note: The stack does not create properly if you do not select all checkboxes.

  5. Click Submit to create the stacks. CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process generally takes 5 to 10 minutes to complete.

  6. Verify that the base stack and all nested stacks have the status CREATE_COMPLETE to confirm that the CloudFormation stacks were successfully created.

  7. Proceed to Subscribe to the Arctic Wolf SNS topic.

Configure CloudTrail monitoring with AWS Organizations and no existing Trails

To create a new Trail to dedicate to Arctic Wolf monitoring, using AWS Organizations:

  1. Sign in to the AWS Management Console as an administrator.

  2. Navigate to the region that you want to deploy the monitoring from.

    1. In the navigation bar, open the Region list.

      Tip: The Region list is located beside your username.

    2. Select your preferred region.

  3. Use the Services menu or search bar to navigate to the CloudFormation page.

    Tip: In the Services menu, the CloudFormation page is located under the Management & Governance section.

  4. On the CloudFormation page, select Create stack > With new resources (standard).

  5. On the Create Stack page, complete the following actions:

    • Set the Prepare template option to Template is ready.
    • Set the Template Source option to Amazon S3 URL.
    • Copy and paste the appropriate CloudTrail stack link listed under AWS CloudFormation Stack Links in the Arctic Wolf Portal into the Amazon S3 URL text box.
    • Click Next.

  6. Give your stack an appropriate and unique name, such as ArcticWolf.

  7. Under the Parameter section, leave the cloudtrailTrail text box blank. This creates a new Trail.

  8. Click Next to proceed to the Configure stack options page.

  9. (Optional) On the Configure stack options page, add roles, policies, and other configurations, as desired.

  10. Click Next to proceed to the Review page.

  11. On the Review page, read the Capabilities section and select all checkboxes to proceed.

    Note: The stack does not create properly if you do not select all checkboxes.

  12. Click Submit to create the stacks. CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process generally takes 5 to 10 minutes to complete.

  13. Verify that the base stack and all nested stacks have the status CREATE_COMPLETE to confirm that the CloudFormation stacks were successfully created.

  14. Sign in to the CloudTrail console.

  15. From the CloudTrail Dashboard, select the appropriate Trail, and then click Edit > Enable for all accounts in my organization. This ensures that all CloudTrail logging for accounts in your organization are delegated to a single Trail.

  16. Proceed to Subscribe to the Arctic Wolf SNS topic.

Configure CloudTrail monitoring with AWS Organizations and an existing Trail

To dedicate an existing Trail to Arctic Wolf monitoring, using AWS Organizations:

Note: You must have an organization Trail to use as the existing Trail. See the AWS CloudTrail documentation for more information.

  1. Sign in to the AWS Management Console as an administrator.

  2. Navigate to the region that you want to deploy the monitoring from.

    1. In the navigation bar, open the Region list.

      Tip: The Region list is located beside your username.

    2. Select your preferred region.

  3. Use the Services menu or search bar to navigate to the CloudFormation page.

    Tip: In the Services menu, the CloudFormation page is located under the Management & Governance section.

  4. On the CloudFormation page, select Create stack > With new resources (standard).

  5. On the Create Stack page, complete the following actions:

    • Set the Prepare template option to Template is ready.
    • Set the Template Source option to Amazon S3 URL.
    • Copy and paste the appropriate CloudTrail stack link listed under AWS CloudFormation Stack Links in the Arctic Wolf Portal into the Amazon S3 URL text box.
    • Click Next.

  6. Give your stack an appropriate and unique name, such as ArcticWolf.

  7. Under the Parameter section, enter the Amazon Resource Name (ARN) of the existing Trail that you want to use for Arctic Wolf in the cloudtrailTrail text box.

Note: The ARN of the CloudTrail can be found in the CloudTrail console. Navigate to the CloudTrail console, and select the existing Trail that you want to use from the Trail list. Above the detail section for that Trail, there is a path similar to CloudTrail > Trail > arn:aws:cloudtrail:us-east-2:12345678910:trail/nameoftrail. Copy the entire ARN starting with arn:aws:cloudtrail.

  1. Click Next to proceed to the Configure stack options page.

  2. (Optional) On the Configure stack options page, add roles, policies, and other configurations, as desired.

  3. Click Next to proceed to the Review page.

  4. On the Review page, read the Capabilities section and select all checkboxes to proceed.

    Note: The stack does not create properly if you do not select all checkboxes.

  5. Click Submit to create the stacks. CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process generally takes 5 to 10 minutes to complete.

  6. Verify that the base stack and all nested stacks have the status CREATE_COMPLETE to confirm that the CloudFormation stacks were successfully created.

  7. Sign in to the CloudTrail console.

  8. From the CloudTrail Dashboard, select the organization Trail, and then click Edit > Enable for all accounts in my organization. This ensures that all CloudTrail logging for accounts in your organization are delegated to a single Trail.

  9. Proceed to Subscribe to the Arctic Wolf SNS topic.

Configure CloudTrail monitoring with AWS Control Tower

To dedicate an existing Trail to Arctic Wolf monitoring, using AWS Control Tower:

Note: You must have an existing Trail to configure CloudTrail monitoring with AWS Control Tower. See the AWS Control Tower documentation for more information.

  1. Sign in to the AWS Control Tower management account with administrative permissions.

    Tip: This account was previously referred to as the master account.

  2. Copy and paste this URL into a browser window, replacing <accountid> with the account number of the logging account: https://signin.aws.amazon.com/switchrole?roleName=AWSControlTowerExecution&account=<accountid>

    This switches you to the Log Archive account and the AWSControlTowerExecution role.

  3. Sign in to the AWS Management Console as an administrator.

  4. Navigate to the region that you want to deploy the monitoring from.

    1. In the navigation bar, open the Region list.

      Tip: The Region list is located beside your username.

    2. Select your preferred region.

  5. Use the Services menu or search bar to navigate to the CloudFormation page.

    Tip: In the Services menu, the CloudFormation page is located under the Management & Governance section.

  6. On the CloudFormation page, select Create stack > With new resources (standard).

  7. On the Create Stack page, complete the following actions:

    • Set the Prepare template option to Template is ready.
    • Set the Template Source option to Amazon S3 URL.
    • Copy and paste the appropriate CloudTrail stack link listed under AWS CloudFormation Stack Links in the Arctic Wolf Portal into the Amazon S3 URL text box.
    • Click Next.

  8. Give your stack an appropriate and unique name, such as ArcticWolf.

  9. Under the Parameter section, enter the Amazon Resource Name (ARN) of the existing Trail that you want to use for Arctic Wolf in the cloudtrailTrail text box.

Note: The ARN of the CloudTrail can be found in the CloudTrail console. Navigate to the CloudTrail console, and select the existing Trail that you want to use from the Trail list. Above the detail section for that Trail, there is a path similar to CloudTrail > Trail > arn:aws:cloudtrail:us-east-2:12345678910:trail/nameoftrail. Copy the entire ARN starting with arn:aws:cloudtrail.

  1. Click Next to proceed to the Configure stack options page.

  2. (Optional) On the Configure stack options page, add roles, policies, and other configurations, as desired.

  3. Click Next to proceed to the Review page.

  4. On the Review page, read the Capabilities section and select all checkboxes to proceed.

    Note: The stack does not create properly if you do not select all checkboxes.

  5. Click Submit to create the stacks. CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process generally takes 5 to 10 minutes to complete.

  6. Verify that the base stack and all nested stacks have the status CREATE_COMPLETE to confirm that the CloudFormation stacks were successfully created.

  7. Proceed to Subscribe to the Arctic Wolf SNS topic.

Subscribe to the Arctic Wolf SNS topic

The CloudFormation stacks create a Simple Notification Service (SNS) topic in your AWS account. Arctic Wolf uses this SNS topic to identify changes in your AWS account. Make sure that the Arctic Wolf Simple Queue Service (SQS) endpoint is subscribed to your AWNSNSTopic.

Note: You only need to complete these steps for the primary region.

To subscribe to the Arctic Wolf SNS topic:

  1. In the AWS Management Console navigation bar, select Services to access the AWS service list, and then type or select Simple Notification Service to access the SNS console.

  2. In the navigation pane, click Topics.

  3. Using the filter, type AWNSNSTopic to find the corresponding topic, and then, in the Name column, click the link for that topic.

  4. On the Subscriptions page, review the subscription status to take the appropriate action. If the status value is:

    • Pending — Proceed to step 5.
    • Confirmed — The SNS subscription is successfully confirmed. Proceed to step 7.

  5. Select the checkbox for the subscription, and then click Request confirmation. A message appears, indicating that the subscription confirmation was requested.

  6. Refresh the page to check the Subscription ID value. If the status value is:

    • Still Pending for more than a few minutes — Contact your CST for assistance and include your 12-digit AWS account number.
    • Confirmed — The SNS subscription is successfully confirmed.

  7. Contact security@arcticwolf.com to confirm that Arctic Wolf is receiving your CloudTrail events. You can also inquire about optional additional AWS services that Arctic Wolf can monitor.

Next steps

Proceed to Configure Amazon GuardDuty Monitoring to enable GuardDuty in a specified region and forward its findings to Arctic Wolf.

Tip: See Configure AWS Account Monitoring for available AWS configuration options.