Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

AWS CloudTrail Event Monitoring

Updated Apr 15, 2024

Configure AWS CloudTrail events for Arctic Wolf monitoring

You can configure AWS CloudTrail® to send the necessary logs to Arctic Wolf® for monitoring security information.

Note: The AWS CloudTrail service monitors all API calls within an AWS account. You cannot monitor individual AWS instances or assets. When Arctic Wolf monitors an AWS account using the CloudTrail service, we do not ignore cross-organization, shared, or private information.

If you have multiple AWS accounts you want Arctic Wolf to monitor, Arctic Wolf recommends that you use AWS Organizations® or AWS Control Tower® to aggregate all logs to one logging account. Then, you only need to configure one logging account to connect to the Arctic Wolf cloud monitoring service. If you do not use AWS Organizations or AWS Control Tower, you must repeat the configuration process for each AWS account you want Arctic Wolf to monitor. See AWS Organizations documentation and AWS Control Tower documentation for more information.

This configuration uses AWS Management Console and AWS CloudFormation to create and manage the resources required to send logs. See AWS permissions granted to Arctic Wolf, AWS Management Console documentation, and AWS CloudFormation documentation for more information.

Note: Deploying these CloudFormation templates creates resources in your AWS account, and AWS charges you based on resource run time and usage. There is a baseline cost for enabling the service and storing CloudTrail logs in an Simple Storage Service (S3) bucket. For example, an AWS account with multiple active users can generate approximately 250,000 CloudTrail events or more each day. With the single free trail, this level of use adds approximately 10 USD for each AWS account each month in incremental costs.

You can change the CloudFormation settings to reduce AWS costs. For example, by setting a lower retention period for logs or integrating with a pre-existing trail. Contact your Concierge Security® Team (CST) at security@arcticwolf.com for more information.

Requirements

Before you begin

Steps

  1. Determine your AWS deployment scenario and configure CloudTrail.
  2. Subscribe to the Arctic Wolf SNS topic.

Step 1: Determine your AWS deployment scenario and configure CloudTrail

Configure your AWS CloudTrail monitoring based on your deployment scenario. If you have:

Configure CloudTrail monitoring with no existing trails

  1. Sign in to the AWS Management Console with administrator permissions.

  2. Find the region that you want to deploy the monitoring from.

    1. In the navigation menu, beside your username, click Region.
    2. Select your preferred region.
  3. In the Services menu, in the Management & Governance section, click CloudFormation.

  4. On the CloudFormation page, click Create stack > With new resources (standard).

  5. On the Create Stack page, configure these settings:

    • Prepare template — Select the Template is ready option.
    • Template Source — Select the Amazon S3 URL option.
  6. In the Arctic Wolf Unified Portal, in the AWS CloudFormation Stacks section, copy the appropriate CloudTrail stack link.

  7. In the Amazon S3 URL field, enter the appropriate CloudTrail stack link.

  8. Click Next.

  9. In the Name field, enter a unique name for your stack. For example, ArcticWolf.

  10. In the Parameter section, keep the CloudTrail field empty.

  11. Click Next.

  12. (Optional) On the Configure stack options page, add roles, policies, and other configurations, as desired.

  13. Click Next.

  14. On the Review page, read the Capabilities section.

  15. Select all checkboxes.

    Note: The stack is not created correctly if you do not select all checkboxes.

  16. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5 to 10 minutes to complete.

  17. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE to make sure that the CloudFormation stacks were successfully created. Do not proceed to the next step until this is complete.

Configure CloudTrail monitoring with an existing trail

  1. Sign in to the AWS Management Console with administrator permissions.

  2. Find to the region that you want to deploy the monitoring from.

    1. In the navigation menu, beside your username, click Region.
    2. Select your preferred region.
  3. In the Services menu, in the Management & Governance section, click CloudFormation.

  4. On the CloudFormation page, click Create stack > With new resources (standard).

  5. On the Create Stack page, configure these settings:

    • Prepare template — Select the Template is ready option.
    • Template Source — Select the Amazon S3 URL option.
  6. In the Arctic Wolf Unified Portal, in the AWS CloudFormation Stacks section, copy the appropriate CloudTrail stack link.

  7. In the Amazon S3 URL field, enter the appropriate CloudTrail stack link.

  8. Click Next.

  9. In the Name field, enter a unique name for your stack. For example, ArcticWolf.

  10. In the Parameter section, in the CloudTrail field, enter the Amazon Resource Name (ARN) of the existing trail that you want to use for Arctic Wolf.

    Note: The ARN of the CloudTrail can be found in the CloudTrail console. In the CloudTrail console, select the existing trail that you want to use from the Trail list. Find the path similar to CloudTrail > Trail > arn:aws:cloudtrail:us-east-2:12345678910:trail/nameoftrail. Copy the entire ARN starting with arn:aws:cloudtrail.

  11. Click Next.

  12. (Optional) On the Configure stack options page, add roles, policies, and other configurations, as desired.

  13. Click Next.

  14. On the Review page, read the Capabilities section.

  15. Select all checkboxes.

    Note: The stack is not created correctly if you do not select all checkboxes.

  16. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5 to 10 minutes to complete.

  17. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE to make sure that the CloudFormation stacks were successfully created. Do not proceed to the next step until this is complete.

Configure CloudTrail monitoring with AWS Organizations and no existing trails

  1. Sign in to the AWS Management Console with the Organizations Management Account.

  2. Find to the region that you want to deploy the monitoring from.

    1. In the navigation menu, beside your username, click Region.
    2. Select your preferred region.
  3. In the Services menu, in the Management & Governance section, click CloudFormation.

  4. On the CloudFormation page, click Create stack > With new resources (standard).

  5. On the Create Stack page, configure these settings:

    • Prepare template — Select the Template is ready option.
    • Template Source — Select the Amazon S3 URL option.
  6. In the Arctic Wolf Unified Portal, in the AWS CloudFormation Stacks section, copy the appropriate CloudTrail stack link.

  7. In the Amazon S3 URL field, enter the appropriate CloudTrail stack link.

  8. Click Next.

  9. In the Name field, enter a unique name for your stack. For example, ArcticWolf.

  10. In the Parameter section, keep the CloudTrail field empty.

  11. Click Next.

  12. (Optional) On the Configure stack options page, add roles, policies, and other configurations, as desired.

  13. Click Next.

  14. On the Review page, read the Capabilities section.

  15. Select all checkboxes.

    Note: The stack is not created correctly if you do not select all checkboxes.

  16. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5 to 10 minutes to complete.

  17. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE to make sure that the CloudFormation stacks were successfully created. Do not proceed to the next step until this is complete.

  18. Sign in to the CloudTrail console.

  19. On the CloudTrail Dashboard, click Trails, click the Arctic Wolf trail name, and then click Edit > Enable for all accounts in my organization.

    All CloudTrail logging for accounts in your organization are delegated to a single trail.

    Note: If this option is greyed out, verify that you are logged into the Organizations Management Account by navigating to the AWS Organizations Console. You will need to remove the CloudFormation template from the deployed account and deploy the template while logged into your Organizations Management Account.

Configure CloudTrail monitoring with AWS Organizations and an existing trail

Note: You must have an organization trail to use as the existing trail. See AWS CloudTrail documentation for more information.

  1. Sign in to the AWS Management Console with administrator permissions.

  2. Find to the region that you want to deploy the monitoring from.

    1. In the navigation menu, beside your username, click Region.
    2. Select your preferred region.
  3. In the Services menu, in the Management & Governance section, click CloudFormation.

  4. On the CloudFormation page, click Create stack > With new resources (standard).

  5. On the Create Stack page, configure these settings:

    • Prepare template — Select the Template is ready option.
    • Template Source — Select the Amazon S3 URL option.
  6. In the Arctic Wolf Unified Portal, in the AWS CloudFormation Stacks section, copy the appropriate CloudTrail stack link.

  7. In the Amazon S3 URL field, enter the appropriate CloudTrail stack link.

  8. Click Next.

  9. In the Name field, enter a unique name for your stack. For example, ArcticWolf.

  10. In the Parameter section, in the CloudTrail field, enter the Amazon Resource Name (ARN) of the existing trail that you want to use for Arctic Wolf.

    Note: The ARN of the CloudTrail can be found in the CloudTrail console. In the CloudTrail console, select the existing trail that you want to use from the Trail list. Find the path similar to CloudTrail > Trail > arn:aws:cloudtrail:us-east-2:12345678910:trail/nameoftrail. Copy the entire ARN starting with arn:aws:cloudtrail.

  11. Click Next.

  12. (Optional) On the Configure stack options page, add roles, policies, and other configurations, as needed.

  13. Click Next.

  14. On the Review page, read the Capabilities section.

  15. Select all checkboxes.

    Note: The stack is not created correctly if you do not select all checkboxes.

  16. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5 to 10 minutes to complete.

  17. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE to make sure that the CloudFormation stacks were successfully created. Do not proceed to the next step until this is complete.

  18. Sign in to the CloudTrail console.

  19. On the CloudTrail details page, verify that your CloudTrail configuration shows Log file SSE-KMS encryption: Enabled. The KMS key should be listed immediately below. Verify that the KMS key is not located in the log archive account. If the KMS key used is located in another account, please add this to the KMS key policy:

    {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "kms:Decrypt",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "<ACCOUNT ID WITH THE IAM ROLE"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "ARN of the monitoring cloudtrail"
                }
            }
        }
  20. On the CloudTrail Dashboard, click Trails, click the Arctic Wolf trail name, and then click Edit > Enable for all accounts in my organization.

    All CloudTrail logging for accounts in your organization are delegated to a single trail.

    Note: If this option is greyed out, verify that you are logged into the Organizations Management Account by navigating to the AWS Organizations Console. You will need to remove the CloudFormation template from the deployed account and deploy the template while logged into your Organizations Management Account.

Configure CloudTrail monitoring with AWS Control Tower

  1. Sign in to the AWS Control Tower management account with administrator permissions.

    Tip: This account was previously referred to as the master account.

  2. Enter this URL into a browser window, where <accountid> is the account number of the logging account: https://signin.aws.amazon.com/switchrole?roleName=AWSControlTowerExecution&account=<accountid>

    You are signed into the Log Archive account with an AWSControlTowerExecution role.

  3. Sign in to the AWS Management Console with administrator permissions.

  4. Find to the region that you want to deploy the monitoring from.

    1. In the navigation menu, beside your username, click Region.
    2. Select your preferred region.
  5. In the Services menu, in the Management & Governance section, click CloudFormation.

  6. On the CloudFormation page, click Create stack > With new resources (standard).

  7. On the Create Stack page, configure these settings:

    • Prepare template — Select the Template is ready option.
    • Template Source — Select the Amazon S3 URL option.
  8. In the Arctic Wolf Unified Portal, in the AWS CloudFormation Stacks section, copy the appropriate CloudTrail stack link.

  9. In the Amazon S3 URL field, enter the appropriate CloudTrail stack link.

  10. Click Next.

  11. In the Name field, enter a unique name for your stack. For example, ArcticWolf.

  12. In the Parameter section, in the CloudTrail field, enter the Amazon Resource Name (ARN) of the existing trail that you want to use for Arctic Wolf.

    Note: The ARN of the CloudTrail can be found in the CloudTrail console. In the CloudTrail console, select the existing trail that you want to use from the Trail list. Find the path similar to CloudTrail > Trail > arn:aws:cloudtrail:us-east-2:12345678910:trail/nameoftrail. Copy the entire ARN starting with arn:aws:cloudtrail.

  13. Click Next.

  14. (Optional) On the Configure stack options page, add roles, policies, and other configurations, as desired.

  15. Click Next.

  16. On the Review page, read the Capabilities section.

  17. Select all checkboxes.

    Note: The stack is not created correctly if you do not select all checkboxes.

  18. Click Submit.

    CloudFormation provides a preview of stack changes, which are prefixed with the Stack name property. This process usually takes 5 to 10 minutes to complete.

  19. Wait until the base stack and all nested stacks have a status of CREATE_COMPLETE to make sure that the CloudFormation stacks were successfully created. Do not proceed to the next step until this is complete.

  20. Sign in to the CloudTrail console.

  21. On the CloudTrail details page, verify that your CloudTrail configuration shows Log file SSE-KMS encryption: Enabled. The KMS key should be listed immediately below. Verify that the KMS key is not located in the log archive account. If the KMS key used is located in another account, please add this to the KMS key policy:

    {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "kms:Decrypt",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "<ACCOUNT ID WITH THE IAM ROLE"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:cloudtrail:arn": "ARN of the monitoring cloudtrail"
                }
            }
        }

Step 2: Subscribe to the Arctic Wolf SNS topic

The CloudFormation stacks create a Simple Notification Service (SNS) topic in your AWS account. Arctic Wolf uses this SNS topic to identify changes to your CloudTrail account. Make sure that the Arctic Wolf Simple Queue Service (SQS) endpoint is subscribed to your AWNSNSTopic.

Note: Only complete these steps for the primary region.

  1. In the AWS Management Console, in the navigation menu, click Services > All services > Simple Notification Service.

  2. In the navigation menu, click Topics.

  3. In the filter field, enter AWNSNSTopic to find the corresponding topic.

  4. In the Name column, click the link for the Arctic Wolf SNS topic.

  5. On the Subscriptions page, review the subscription Status. If the value is:

    • Confirmed — The SNS subscription is successfully confirmed.
    • Pending:
      1. Select the checkbox for the subscription, and then click Request confirmation.

        A message appears, indicating that the subscription confirmation was requested.

      2. Wait some minutes, and then refresh the page.

      3. If the Status continues to display Pending, contact your CST for assistance. Include your 12-digit AWS account number.

  6. Contact security@arcticwolf.com to confirm that Arctic Wolf is receiving your CloudTrail events. You can also inquire about optional additional AWS services that Arctic Wolf can monitor.

Next steps