AWS CloudTrail Setup

This guide walks you through integrating AWS CloudTrail with RAD Security. This integration imports CloudTrail logs directly from your S3 bucket to provide comprehensive visibility into user activity, API usage, and potential security threats. The setup process involves:

Configuring AWS IAM permissions to allow RAD Security to access CloudTrail buckeet.
Configuring the integration in RAD Security

Prerequisites

Before you begin, ensure you have:

AWS CloudTrail enabled and configured to log to an Amazon S3 bucket. Please check details in official AWS docs.
Access to the AWS account to configure required IAM settings or apply Terraform
Access to RAD Security app

Step 1. Enabling access to CloudTrail bucket

You can configure this integration using our official Terraform module (recommended) or manually.

Terraform (Recommended)
Manual Setup

We recommend using our official Terraform module to automatically provision the necessary configuration.

Usage

You can use the guide in the RAD Security app by navigating to Data sources -> Add new -> Cloud provider.The following confguration needs to be included in the module to allow access to the S3 bucket.

module "rad-security-connect" {
  source  = "rad-security/rad-security-connect/aws"
  version = "x.x.x"

  aws_external_id                = "<external-id>"

  readonly_s3_buckets = [
    "<cloudtrail-bucket>"
  ]
}

For full variable documentation and examples, visit the RAD Security Terraform Repository.

If you cannot use our Terraform module, you can create the required role manually.The role must be called rad-security-connect and provide allow the following statements:

{
  "Statement": [
    {
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<cloudtrail-bucket>"
    },
    {
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<cloudtrail-bucket>/*"
    }
  ],
  "Version": "2012-10-17"
}

It also has to configure include the trust policy to allow cross-account access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::955322216602:role/rad-security-connector"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<external-id>"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::955322216602:role/rad-security-connector"
      },
      "Action": "sts:TagSession"
    }
  ]
}

Step 2: Confguring the integration in RAD Security app

Navigate to your Data sources -> Integrations -> AWS -> CloudTrail -> Add integration Provide the required options.

Parameter	Description	Example
Integration Name		`Production account`
S3 Bucket Name	The name of the S3 bucket storing CloudTrail logs	`prod-cloudtrail-logs`
S3 Bucket AWS Account ID	The AWS Account ID of the S3 bucket storing CloudTrail logs	`1234567890`

Click Verify and Create.

Getting Started

Platform

Data Sources

Security & Compliance

Resources

CloudTrail

AWS CloudTrail Setup

Prerequisites

Step 1. Enabling access to CloudTrail bucket

Usage

Step 2: Confguring the integration in RAD Security app

Getting Started

Platform

Data Sources

Security & Compliance

Resources

​AWS CloudTrail Setup

​Prerequisites

​Step 1. Enabling access to CloudTrail bucket

​Usage

​Step 2: Confguring the integration in RAD Security app

AWS CloudTrail Setup

Prerequisites

Step 1. Enabling access to CloudTrail bucket

Usage

Step 2: Confguring the integration in RAD Security app