--- title: AWS CloudTrail description: >- Amazon CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. breadcrumbs: Docs > Integrations > AWS CloudTrail --- # AWS CloudTrail ## Overview{% #overview %} {% alert level="warning" %} See [AWS Configuration for Cloud SIEM](https://docs.datadoghq.com/security_platform/cloud_siem/guide/aws-config-guide-for-cloud-siem.md) if you are setting up AWS CloudTrail for Cloud SIEM. {% /alert %} AWS CloudTrail provides an audit trail for your AWS account. Datadog reads this audit trail and creates events. Search your Datadog events explorer for these events or use them for correlation on your dashboards. For information on other AWS services, see the [Amazon Web Services integration page](https://docs.datadoghq.com/integrations/amazon_web_services.md). Installing the CloudTrail integration and collecting CloudTrail events also accelerates [AWS resource-collection refresh](https://docs.datadoghq.com/integrations/amazon-web-services.md#resource-collection), so Datadog's view of your AWS account reflects changes more quickly. ## Setup{% #setup %} ### Installation{% #installation %} If you haven't already, set up the [Amazon Web Services integration](https://app.datadoghq.com/integrations/amazon-web-services) first. ### Event collection{% #event-collection %} **Note**: The Datadog CloudTrail integration requires events to be collected in a CloudTrail bucket. 1. Add the following permissions to your Datadog IAM policy to collect AWS CloudTrail events. For more information on CloudTrail policies, see the [AWS CloudTrail API Reference](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html). CloudTrail also requires some S3 permissions to access the trails. **These are required on the CloudTrail bucket only**. For more information on Amazon S3 policies, see the [Amazon S3 API Reference](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html). | AWS Permission | Description | | ------------------------------------ | ------------------------------------------------------------------------------ | | `cloudtrail:DescribeTrails` | Lists trails and the s3 bucket the trails are stored in. | | `cloudtrail:GetTrailStatus` | Skips inactive trails. | | `s3:ListBucket` | Lists objects in the CloudTrail bucket to get available trails. | | `s3:GetBucketLocation` | Obtains the bucket's region to download trails. | | `s3:GetObject` | Fetches available trails. | | `organizations:DescribeOrganization` | Returns information about an account's organization (required for org trails). | If you plan to use automatic log subscription (see Log collection below), also grant: | AWS Permission | Description | | ----------------------- | ----------------------------------------------------------------------- | | `cloudtrail:ListTrails` | Discovers trails to auto-subscribe for log forwarding. | | `cloudtrail:GetTrail` | Resolves the S3 bucket or CloudWatch Logs group each trail delivers to. | Add this policy to your existing main Datadog IAM policy: ```json { "Sid": "AWSDatadogPermissionsForCloudtrail", "Effect": "Allow", "Action": ["s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject"], "Resource": [ "arn:aws:s3:::", "arn:aws:s3:::/*" ] } ``` 1. Install the [Datadog - AWS CloudTrail integration](https://app.datadoghq.com/integrations/amazon-cloudtrail): On the integration page, choose the types of events to show as normal priority (the default filter) in the Datadog events explorer. The accounts you configured in the Amazon Web Services page are also shown here. If you would like to see other events that are not mentioned here, contact [Datadog support](https://docs.datadoghq.com/help/). ### Log collection{% #log-collection %} #### Enable logging{% #enable-logging %} In AWS CloudTrail, [create a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) and select an S3 bucket to write the logs in. #### Send logs to Datadog{% #send-logs-to-datadog %} CloudTrail logs can be sent to Datadog through automatic log subscription, the Datadog Forwarder Lambda, or Amazon Data Firehose. Pick the option that matches how you already ship AWS logs. **Option 1: Automatic log subscription (recommended)** If log collection is enabled on the [Amazon Web Services integration](https://app.datadoghq.com/integrations/amazon-web-services), Datadog can [automatically set up triggers](https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function.md?tab=awsconsole#automatically-set-up-triggers) for CloudTrail — discovering your trails and subscribing to their destinations (S3 buckets or CloudWatch Logs groups) without any per-trail wiring. Grant the additional `cloudtrail:ListTrails` and `cloudtrail:GetTrail` permissions listed above, enable CloudTrail log collection in the AWS integration tile, and Datadog provisions the subscription for you. **Option 2: Datadog Forwarder Lambda** 1. If you haven't already, set up the [Datadog Forwarder Lambda function](https://docs.datadoghq.com/logs/guide/forwarder.md) in your AWS account. 1. Once set up, go to the Datadog Forwarder Lambda function. In the Function Overview section, click **Add Trigger**. 1. Select the **S3** trigger for the Trigger Configuration. 1. Select the S3 bucket that contains your CloudTrail logs. 1. Leave the event type as `All object create events`. 1. Click **Add** to add the trigger to your Lambda. **Option 3: Amazon Data Firehose** Follow the [Amazon Data Firehose destination setup](https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-kinesis-firehose-destination.md) to stream CloudTrail logs directly to Datadog without the Forwarder Lambda. Go to the [Log Explorer](https://app.datadoghq.com/logs) to start exploring your logs. For more information on collecting AWS Services logs, see [Send AWS Services Logs with the Datadog Lambda Function](https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function.md). ## Data Collected{% #data-collected %} ### Metrics{% #metrics %} The AWS CloudTrail integration does not include any metrics. ### Events{% #events %} The AWS CloudTrail integration creates many different events based on the AWS CloudTrail audit trail. All events are tagged with `#cloudtrail` in your Datadog [events explorer](https://docs.datadoghq.com/events.md). You can set their priority in the integration configuration. CloudTrail events that can be set to a normal priority (they appear in the Event Explorer under the default filter): - apigateway - autoscaling - cloudformation - cloudfront - cloudsearch - cloudtrail - codedeploy - codepipeline - config - datapipeline - ds - ec2 - ecs - elasticache - elasticbeanstalk - elasticfilesystem - elasticloadbalancing - elasticmapreduce - iam - kinesis - lambda - monitoring - rds - redshift - route53 - s3 - ses - signin - ssm ### Service Checks{% #service-checks %} The AWS CloudTrail integration does not include any service checks. ## Troubleshooting{% #troubleshooting %} ### The CloudTrail tile is missing or there are no accounts listed{% #the-cloudtrail-tile-is-missing-or-there-are-no-accounts-listed %} You need to first configure the [Amazon Web Services](https://docs.datadoghq.com/integrations/amazon_web_services.md) integration. Then the CloudTrail tile can be configured. ### Permission or configuration issues{% #permission-or-configuration-issues %} Permission errors related to CloudTrail (for example, missing `s3:GetObject` on a trail bucket, or inactive trails) are surfaced on the main [Amazon Web Services integration tile](https://docs.datadoghq.com/integrations/amazon_web_services.md), not on the CloudTrail tile.