Amazon CloudTrail

AWS CloudTrail helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

Event history – The Event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of management events in an AWS Region.

CloudTrail Lake – AWS CloudTrail Lake is a managed data lake for capturing, storing, accessing, and analyzing user and API activity on AWS for audit and security purposes. CloudTrail Lake converts existing events in row-based JSON format to Apache ORC format.

Trails – Trails capture a record of AWS activities, delivering and storing these events in an Amazon S3 bucket, with optional delivery to CloudWatch Logs and Amazon EventBridge. You can input these events into your security monitoring solutions.

More information can be found here.

Integration Method: API Ingest

Tables: Account change (3001), Authentication (3002), API Activity (6003)

This integration supports the following events.

This integration supports the following versions.

Note:

AWS CloudTrail is a continuously updated cloud service. As of this document preparation, latest release was on Feb 28, 2025.

Prerequisites

The user should have access to the DataBee console.

AWS CloudTrail configuration Logs

Please refer to configure CloudTrail logs for management activities.

AWS Access Key and Secret Key  

Refer to this common procedure on how to create an IAM user, configure the AWS Access Key and AWS Secret Key, attach an IAM policy with required permissions.

Configuration Overview

1. Generate an AWS Access Key & Secret Key with the required IAM policies.

2. Configure the AWS CloudTrail in the DataBee console with the required Access Key and Secret Key.

   DataBee Parameter	AWS CloudTrail Parameter
   Access Key	AWS Access Key
   Secret Key	AWS Secret Key
   AWS Region	AWS Region
   Service Name	cloudtrail

AWS CloudTrail Configuration

Ensure AWS Access Key is associated with the service user which has been attached to an IAM policy with following Actions allowed. The following example shows a policy that grants read-only access to CloudTrail trails. This is equivalent to the managed policy AWSCloudTrail_ReadOnlyAccess. It grants users permission to see trail information, but not to create or update trails.

Refer here more info on the policy.

Minimum IAM policy required:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudtrail:Get*",
        "cloudtrail:Describe*",
        "cloudtrail:List*",
        "cloudtrail:LookupEvents"
      ],
      "Resource": "*"
    }
  ]
}

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the AWS CloudTrail and click it as shown below.
    

3. Click on the API Ingest option for collection method.

   
   

4. Enter feed contact information and click Next.

    

5. In the configuration page, confirm the following:

• API Base URL: this is the base URL that DataBee will interact with. Replace AWS Region in the placeholder.

• Authorization Method: AWS Signature

• Access key: paste the AWS client access key.

• Secret key: paste the AWS client secret key.

• Session token can be left empty.

• AWS region – region

• Service name: cloudtrail

• Event types: preselected for all the event types that integration pulls.
  
  
   

  6. Click Submit.

Troubleshooting Tips

• Ensure the Access Key, Secret Key are pasted correctly. Since you cannot view the Secret Key after the 1^st time, re-create the Access Key & Secret Key, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

• Ensure the appropriate privileges are assigned for client creds.