Configure the webhook in AWS CloudTrail
Subscribe your endpoint webhook to a topic so that the endpoint receives messages published to that topic.
Before you begin
Ensure you have an account in AWS.
Role required: Responder, Manager, or Administrator
About this task
In the console, you create a trail that logs events in all AWS Regions that you have enabled. This is a recommended best practice.
- Log in to the AWS console.
Open the CloudTrail console.
On the CloudTrail home page, from Trails section of the Dashboard page, choose
On the Choose trail attributes page, perform the following actions:
- In the Trail name field, type a name for your trail.
- For Storage location, choose Create
new S3 bucket to create a bucket. When you create a
bucket, CloudTrail creates and applies the required bucket
policies.Note: If you select Use existing S3 bucket, specify a bucket in Trail log bucket name, or choose Browse to choose a bucket. The bucket policy must grant CloudTrail permission to write to it. In the Trail log bucket and folder field, the S3 bucket name is auto-populated.
- Select the Log file SSE-KMS encryption check
It encrypts your log files with SSE-KMS instead of SSE-S3. If you enable SSE-KMS encryption, choose a New or Existing AWS KMS key. In AWS KMS Alias, specify an alias, in the format alias/MyAliasName.
In the Additional settings section, configure the following:
- Select the Log file validation check box to have log digests delivered to your S3 bucket.
- Select the SNS notification delivery check box to
get notification each time a log is delivered to your
CloudTrail stores multiple events in a log file. SNS notifications are sent for every log file, not for every event.
- For Create a new SNS topic, choose New to create a topic, or choose Existing to use an existing topic. If you are creating a trail that applies to all Regions, SNS notifications for log file deliveries from all Regions are sent to the single SNS topic that you create. If you choose New, CloudTrail specifies a name for the new topic for you, or you can type a name. If you choose Existing, choose an SNS topic from the drop-down list. You can also enter the ARN of a topic from another Region or from an account with appropriate permissions.
The CloudTrail is created.
In the AWS console, search for Simple Notification
- Open Simple Notification Service and from the left navigation pane, select Topics.
- Create or select a topic to create a subscription.
From the left navigation pane, select
Click Create Subscription.
- In the Topic ARN field, select the topic that you have already created for AWS CloudTrail.
- In the Protocol field, select HTTPS.
- In the Endpoint field, enter the webhook copied
from Incident Response.
Enter the remaining fields depending on your requirements.
- Click Create Subscription.
If the subscription is successful, the subscription status is changed to confirmed from pending. You are ready to subscribe to messages on the topic. The alert created between CloudTrail and Incident Response is always set to Priority 4 (low priority).
To test the integration:
- From the left navigation pane, click Topics and from the existing Topics list, click to open the topic.
- Click Publish message.
- In the Message body section, enter the sample alert payload given at
Sample alert for AWS CloudTrail to test the
- Click Publish message.
This creates a sample alert in Lightstep Incident Response.