Configure the webhook in AWS CloudTrail

Subscribe your endpoint webhook to a topic so that the endpoint receives messages published to that topic.

Before you begin

Ensure you have an account in AWS.

Role required: Responder, Manager, or Administrator

About this task

Note: While this integration with a third-party product is supported, the documentation here is based upon information provided by that third-party. More current information about the operation of that third-party’s system may be available from them directly.

In the console, you create a trail that logs events in all AWS Regions that you have enabled. This is a recommended best practice.


  1. Log in to the AWS console.
  2. Open the CloudTrail console.
    AWS CloudTrail.
  3. On the CloudTrail home page, from Trails section of the Dashboard page, choose Create trail.
    The Choose trail attributes form.
  4. On the Choose trail attributes page, perform the following actions:
    1. In the Trail name field, type a name for your trail.
    2. For Storage location, choose Create new S3 bucket to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies.
      Note: If you select Use existing S3 bucket, specify a bucket in Trail log bucket name, or choose Browse to choose a bucket. The bucket policy must grant CloudTrail permission to write to it. In the Trail log bucket and folder field, the S3 bucket name is auto-populated.
    3. Select the Log file SSE-KMS encryption check box.

      It encrypts your log files with SSE-KMS instead of SSE-S3. If you enable SSE-KMS encryption, choose a New or Existing AWS KMS key. In AWS KMS Alias, specify an alias, in the format alias/MyAliasName.

  5. In the Additional settings section, configure the following:
    1. Select the Log file validation check box to have log digests delivered to your S3 bucket.
    2. Select the SNS notification delivery check box to get notification each time a log is delivered to your bucket.

      CloudTrail stores multiple events in a log file. SNS notifications are sent for every log file, not for every event.

    3. For Create a new SNS topic, choose New to create a topic, or choose Existing to use an existing topic. If you are creating a trail that applies to all Regions, SNS notifications for log file deliveries from all Regions are sent to the single SNS topic that you create. If you choose New, CloudTrail specifies a name for the new topic for you, or you can type a name. If you choose Existing, choose an SNS topic from the drop-down list. You can also enter the ARN of a topic from another Region or from an account with appropriate permissions.
  6. Click Next.

    The CloudTrail is created.

  7. In the AWS console, search for Simple Notification Service.
    AWS Simple Notification Service.
  8. Open Simple Notification Service and from the left navigation pane, select Topics.
  9. Create or select a topic to create a subscription.
  10. From the left navigation pane, select Subscriptions.
    AWS Subscriptions.
  11. Click Create Subscription.
    The Create Subscription form.
    On the Create subscription form, perform the following actions:
    1. In the Topic ARN field, select the topic that you have already created for AWS CloudTrail.
    2. In the Protocol field, select HTTPS.
    3. In the Endpoint field, enter the webhook copied from Incident Response.

      Enter the remaining fields depending on your requirements.

    4. Click Create Subscription.

      If the subscription is successful, the subscription status is changed to confirmed from pending. You are ready to subscribe to messages on the topic. The alert created between CloudTrail and Incident Response is always set to Priority 4 (low priority).

  12. Optional: To test the integration:
    1. From the left navigation pane, click Topics and from the existing Topics list, click to open the topic.
    2. Click Publish message.

      Publish messages through webhook.

    3. In the Message body section, enter the sample alert payload given at Sample alert for AWS CloudTrail to test the integration.

      The Publish message to topic page.

    4. Click Publish message.

      This creates a sample alert in Lightstep Incident Response.