1,295 questions
Gathering AWS CloudTrail logs from multiple accounts in a single bucket (AWS Control Tower)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 23%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG1%3C/text%3E%3C/svg%3E)
GS-1714
6
Reputation points
Our organization is using an AWS multi-account structure, and we leverage AWS Control Tower to provision accounts, handle certain security restrictions, and centralize CloudTrail logs.
With Control Tower, the CloudTrail logs of all accounts end up in a single S3 bucket that is owned by the "Log Archive" account.
To integrate with Azure Sentinel, we created an IAM Role with the "CloudTrail Read-Only" policy (as described in the AWS connector documentation page) in the Log Archive account. We can see logs pertaining to the Log Archive account in Sentinel / Log Analytics, but not the logs of any of the other AWS accounts (which we do see in the S3 bucket).
As a workaround, we can configure the AzureSentinel role in each of the AWS accounts and add the role ARNs individually to the connector settings (which should work, but we haven't yet tested it). However, that means we need to keep track of each AWS account that is created by Control Tower and ensure that we don't forget to configure it on the Azure Sentinel side -- a somewhat risky approach in the long-run.
Is there a recommended way of dealing with this type of situation? Is anyone aware of upcoming changes to Sentinel that would address this?
Thank you
Microsoft Security | Microsoft Sentinel
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shashi Shailaj 7,631 Reputation points Microsoft Employee Moderator2020-12-07T04:43:05.507+00:00 @GS-1714 ,
Could you please share the CloudTrail ReadOnly Policy configuration . In my case the policy looks like below. I do not have multiple AWS accounts to test your scenario but I am trying to get help internally to see if we can test it . I agree that adding azure Sentinel role in each of AWS accounts might work as it seems in theory but that will add to a manual task of making sure every AWS account gets added in the long run. Please share . It might also be possible that it is some permission issue on how logs from different accounts can be read from S3 . If you can share the policy details on your side , we can take it forward accordingly .
Sign in to comment
Sign in to answer