CloudTrail Installation Instructions

How to Integrate CloudTrail with BigPanda

Create an App Key

First create an App Key. You'll need a separate App Key for each integrated system.

Create a BigPanda API Key

1. Follow these instructions on generating an API Key

2. Note the API Key for use later in the setup

Create an AWS IAM Role for BigPanda

1. In your AWS account, begin the creation of a new IAM role

2. For Type of Trusted Entity select Another AWS Account and provide the account ID: 103749124141

3. Select the checkbox for Require external ID and provide a random string for the External ID, noting the value for use later in these instructions

4. Ensure the Require MFA box is NOT checked

5. Click the Next button to move on to permissions

6. Click the Create Policy button to create a new IAM policy for this role, a new browser tab should open

7. In the JSON tab copy and paste the policy below, replacing BUCKET_NAME_HERE with the name of your S3 bucket which holds your CloudTrail events

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowBigPandaGetObject",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET_NAME_HERE/*"
    }
  ]
}

8. Click Review Policy and name your policy, then click Create Policy

9. Once the policy is created, return to the role creation process and click the refresh button then search for and select your new role

10. Proceed to the Review step of role creation and name your role, then click Create Role

11. Locate your new role and note down its ARN

For more information please view AWS documentation here.

NameValue
api_keyAPI Key Created Earlier
app_key$YOUR_APP_KEY

Subscribe to the Integration

1. Construct JSON body with required properties

{
  "apiKey": "*API Key Created Earlier*",
  "appKey": "$YOUR_ID",
  "bucket_name": "S3_BUCKET_NAME",
  "bucket_region": "S3_BUCKET_REGION",
  "iam_role_arn": "CREATED_ROLE_ARN",
  "iam_role_external_id: "CREATED_EXTERNAL_ID"
}

2. POST to the following CloudTrail API: $INTEGRATIONS_API_BASE_URL/cloudtrail/changes/subscribe

// example POST cURL command
curl -X POST \
  $INTEGRATIONS_API_BASE_URL/cloudtrail/changes/subscribe \
  -H 'Content-Type: application/json' \
  -d '{
  "apiKey": "*API Key Created Earlier*",
  "appKey": "$YOUR_APP_KEY",
  "bucket_name": "BUCKET_NAME",
  "bucket_region": "S3_BUCKET_REGION",
  "iam_role_arn": "CREATED_ROLE_ARN",
  "iam_role_external_id": "CREATED_EXTERNAL_ID"
}'

Add S3 Event Notification

1. Go to the advanced settings in your the properties tab of your S3 bucket

2. Select the Events widget and click on add Notification

3. Add Name

4. Select All object create events option for Events

5. Add the following under path: AWSLogs/<YOUR_AWS_ACCOUNT_NUMBER>/CloudTrail

  • Note: We do not need the CloudTrail Digest logs to be pushed to BigPanda's Queue

6. Select SNS topic for Destination

7. Under Specify SNS topic, select Enter SNS topic ARN

8. Add BigPanda's SNS Topic ARN: arn:aws:sns:<S3_BUCKET_REGION>:103749124141:int-cloudtrail-prod-us-east-1

For more information please view our documentation here.

Removing the Integration

The following are steps on removing the Integration

1. Delete the S3 Event Notification on the desired Bucket

2. Delete the IAM Role and Permissions associated to this integration

3. Unsubscribe to the integration with the following cURL command

// example DELETE cURL command
curl -X DELETE \
$INTEGRATIONS_API_BASE_URL/cloudtrail/changes/subscribe \
-H 'Content-Type: application/json' \
-d '{
  "apiKey": "*API Key Created Earlier*",
  "bucket_name": "BUCKET_NAME"
}'