Amazon CloudTrail

Samurai [Local] Collector	Samurai [Cloud] Collector

This guide describes the steps required to configure Amazon Web Services (AWS) to send CloudTrail logs to S3 storage for ingestion to Samurai via a cloud collector.

Prerequisites

Ensure that an AWS cloud collector has been deployed via the Samurai MDR portal. 

• Guide available here

If you are planning to reuse an already deployed cloud collector, the information can be found via:

1. Navigate to the Samurai MDR portal.
2. Click Telemetry and select Collectors from the main menu
3. Click on the name of the desired collector.
4. Note down information:

• Account number
• Bucket name
• Region

Alternatively, you can utilize the integration setup wizard via the Samurai MDR portal for the desired telemetry source listed on Product Integration Guide page which shall provide you the same information required to setup your telemetry source.

Enabling CloudTrail Logs

Follow the AWS documentation guide:

• Creating a trail with the CloudTrail console

When following the vendor documentation, please perform the following adjustments:

• Enable for all accounts in my organization: Recommended to enable.
• Storage Location: Use existing S3 Bucket.
• Trail log bucket name: Select the S3 bucket which you setup during creation of the cloud collector.
• Prefix: Leave empty
• Log file SSE-KMS encryption: If enabled, extend the KMS Policy with:

{
    "Sid": "Allow NTTHS Samurai account to use this KMS key",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::600502389717:root"
    },
    "Action": [
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
    ],
    "Resource": "*"
}

• Event Type: At minimum Management events

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.