AWS CloudTrail
Incident Management is now generally available! Incident Management is now generally available!

AWS CloudTrail

Crawler Crawler

Overview

AWS CloudTrail provides an audit trail for your AWS account. Datadog reads this audit trail and creates events. Search your Datadog events stream for these events or use them for correlation on your dashboards. Here is an example of a CloudTrail event:

cloudtrail event

For information on other AWS services, see the Amazon Web Services integration page

Note: The CloudTrail integration does not support Organization Trails.

Setup

Installation

If you haven’t already, set up the Amazon Web Services integration first.

Event collection

  1. Add the following permissions to your Datadog IAM policy to collect AWS CloudTrail metrics. For more information on CloudTrail policies, review the documentation on the AWS website. CloudTrail also requires some S3 permissions to access the trails. These are required on the CloudTrail bucket only. For more information on Amazon S3 policies, review the documentation on the AWS website.

    AWS PermissionDescription
    cloudtrail:DescribeTrailsLists trails and the s3 bucket the trails are stored in.
    cloudtrail:GetTrailStatusSkips inactive trails.
    s3:ListBucketLists objects in the CloudTrail bucket to get available trails.
    s3:GetBucketLocationObtains the bucket’s region to download trails.
    s3:GetObjectFetches available trails.
    s3:ListObjectsReturns some or all (up to 1,000) of the objects in a bucket.

    Add this policy to your existing main Datadog IAM policy:

    {
    "Sid": "AWSDatadogPermissionsForCloudtrail",
    "Effect": "Allow",
    "Principal": {
        "AWS": "<ARN_FROM_MAIN_AWS_INTEGRATION_SETUP>"
    },
    "Action": ["s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject", "s3:ListObjects"],
    "Resource": [
        "arn:aws:s3:::<YOUR_S3_CLOUDTRAIL_BUCKET_NAME>",
        "arn:aws:s3:::<YOUR_S3_CLOUDTRAIL_BUCKET_NAME>/*"
    ]
}

    Note: The principal ARN is the one listed during the installation process for the main AWS integration. If you are updating your policy (as opposed to adding a new one), you don’t need the SID or the Principal.

  2. Install the Datadog - AWS Cloudtrail integration: On the integration tile, choose the types of events to show as normal priority (the default filter) in the Datadog events stream. The accounts you configured in the Amazon Web Services tile are also shown here. If you would like to see other events that are not mentioned here, please reach out to Datadog support.

Log collection

Enable Cloudtrail Logging

When you define your Trails, select a S3 bucket to write the logs in:

Cloudtrail logging

Send Logs to Datadog

  1. If you haven’t already, set up the Datadog log collection AWS Lambda function.
  2. Once the lambda function is installed, manually add a trigger on the S3 bucket that contains your Cloudtrail logs. In the AWS console, in your Lambda, click on S3 in the trigger list:
    S3 trigger configuration
    Configure your trigger by choosing the S3 bucket that contains your Cloudtrail logs and change the event type to Object Created (All) then click on the add button:
    S3 Lambda trigger configuration

When finished, the logs are displayed in your Datadog Log Explorer.

Data Collected

Metrics

The AWS Cloudtrail integration does not include any metrics.

Events

The AWS Cloudtrail integration creates many different events based on the AWS Cloudtrail audit trail. All events are tagged with #cloudtrail in your Datadog events stream.

Service Checks

The AWS Cloudtrail integration does not include any service checks.

Troubleshooting

I don’t see a CloudTrail tile or there are no accounts listed

You need to first configure the Amazon Web Services tile. Then the CloudTrail tile can be configured.

On this Page