Documentation

Amazon Web Services

Suggest Edits

Depending on your preference for CloudTrail log collection, you can configure your Amazon Web Services (AWS) connector in multiple ways.

Prerequisites

  • You must have the ability to create IAM roles and policies in your AWS Management Account.
  • You must have familiarity with AWS CloudFormation and CloudTrail services.

Option 1: Configure without a CloudTrail log collection

  1. In Identity Security Insights, from the left menu, click Menu > Connectors..
    The Connectors page displays.

  2. Click the Available tab.

  3. Locate AWS and click Create Connector.

  4. Enter a human-readable name for your connector.

  5. Click the AWS Organization link.
    Your AWS Organization account opens in a new tab.

  6. In your AWS account, navigate to the My Account page.

  7. In the Root details section, copy the Root Organizational Unit ID (for example, r-ad12).

  8. Back in Insights, on the Create New Connector screen, click the CloudFormation Template link.

    ℹ️

    Note

    This template creates an IAM role and policy for Insights to use when accessing your AWS resources. To use the template provided by the AWS connector, a credit card must be associated with your AWS account.

    The AWS CloudFormation Create Stack wizard opens with pre-populated parameters.

  9. In the wizard's Parameters section, verify the following parameters:

    • AwsRegion: Ensure this is the correct AWS region for your deployment. The supported AWS regions are: us-east-1 and eu-central-1.
    • RootOrgUnitId: Paste the Root Organizational Unit ID copied from the Root details section in AWS.
    • BtConnectorExternalID: Ensure this matches the External ID provided by Identity Security Insights (for example, abcdef-1234567890/ABCDEF).
    • EnableCloudTrail: Select No.

  10. In the wizard's Capabilities section, check the required boxes to acknowledge that AWS CloudFormation may create IAM resources.

  11. Click Create stack.
    Stack creation may take several minutes.

  12. Once the stack creation completes, in the AWS CloudFormation template, click the Outputs tab.

  13. Copy the BtOrgRoleArn value.

  14. In Insights, paste the BtOrgRoleArn value in the IAM Role ARN field.

  15. In the Select CloudTrail Log collection preference drop-down, select No.

  16. Review all information on the Identity Security InsightsCreate AWS Connector screen.

  17. Click Create Connector.
    The AWS connector is created without CloudTrail log collection.

Option 2: Configure with a new CloudTrail, created by Insights

  1. In Identity Security Insights, from the left menu, click Menu > Connectors..
    The Connectors page displays.

  2. Click the Available tab.

    1. Locate AWS and click Create Connector:
    2. Enter a human-readable name for your connector.

  3. Obtain your Root Organizational ID from AWS:

    1. Click the AWS Organization link.
      Your AWS Organization account opens in a new tab.
    2. In your AWS account, navigate to the My Account page.
    3. In the Root details section, copy the Root Organizational Unit ID (for example, r-ad12).

  4. Create the CloudFormation stack:

    1. Back in Insights, on the Create New Connector screen, click the CloudFormation Template link.

      ℹ️

      Note

      This template creates an IAM role and policy for Insights to use when accessing your AWS resources. To use the template provided by the AWS connector, a credit card must be associated with your AWS account.

      The AWS CloudFormation Create Stack wizard opens with pre-populated parameters.

    2. In the wizard's Parameters section, verify the following parameters:

      • AwsRegion: Ensure this is the correct AWS region for your deployment.
      • RootOrgUnitId: Paste the Root Organizational Unit ID copied from the Root details section in AWS.
      • BtConnectorExternalID: Ensure this matches the External ID provided by Identity Security Insights (for example, abcdef-1234567890/ABCDEF).
      • EnableCloudTrail: Select Yes, create CloudTrail.

    3. In the wizard's Capabilities section, check the required boxes to acknowledge that AWS CloudFormation may create IAM resources.

    4. Click Create stack.
      Stack creation may take several minutes.

  5. Obtain the IAM Role ARN:

    1. Once the stack creation completes, in the AWS CloudFormation template, click the Outputs tab.
    2. Copy the BtOrgRoleArn value.
    3. In Insights, paste the BtOrgRoleArn value in the IAM Role ARN field.
    4. In AWS CloudFormation, copy the CloudTrailBucketArn.
    5. In Insights, paste the CloudTrailBucketArn value into the CloudTrail Ingest ARN field.

  6. Create the connector:

    1. In Insights, in the Select CloudTrail Log collection preference drop-down, select Yes, Insights will create a new CloudTrail in your AWS Organization.
    2. Review all information on the Identity Security InsightsCreate AWS Connector screen.
    3. Click Create Connector.
      The AWS connector is created with a new, Insights-created CloudTrail.

Option 3: Configure with an existing CloudTrail, enabled for all accounts

ℹ️

Note

The existing CloudTrail must reside in the same region as the stack deployment.

  1. Create a new AWS connector configuration:

    1. In Identity Security Insights, from the left menu, click Menu > Connectors.
      The Connectors page displays.
    2. Click the Available tab.
    3. Locate AWS and click Create Connector.
    4. Enter a human-readable name for your connector.

  2. Obtain your Root Organizational ID from AWS:

    1. Click the AWS Organization link.
      Your AWS Organization account opens in a new tab.
    2. In your AWS account, navigate to the My Account page.
    3. In the Root details section, copy the Root Organizational Unit ID (for example, r-ad12).

  3. Create the CloudFormation stack:

    1. Back in Insights, on the Create New Connector screen, click the CloudFormation Template link.

      ℹ️

      Note

      This template creates an IAM role and policy for Insights to use when accessing your AWS resources. To use the template provided by the AWS connector, a credit card must be associated with your AWS account.

      The AWS CloudFormation Create Stack wizard opens with pre-populated parameters.

    2. In the wizard's Parameters section, verify the following parameters:

      • AwsRegion: Ensure this is the correct AWS region for your deployment.
      • RootOrgUnitId: Paste the Root Organizational Unit ID copied from the Root details section in AWS.
      • BtConnectorExternalID: Ensure this matches the External ID provided by Identity Security Insights (for example, abcdef-1234567890/ABCDEF).
      • EnableCloudTrail: Select Yes, create CloudTrail.

    3. In the wizard's Capabilities section, check the required boxes to acknowledge that AWS CloudFormation may create IAM resources.

    4. Click Create stack.
      Stack creation may take several minutes.

  4. Obtain the IAM Role ARN:

    1. Once the stack creation completes, in the AWS CloudFormation template, click the Outputs tab.
    2. Copy the BtOrgRoleArn value.
    3. In Insights, paste the BtOrgRoleArn value in the IAM Role ARN field.
    4. In AWS CloudFormation, copy the CloudTrailBucketArn.
    5. In Insights, paste the CloudTrailBucketArn value into the CloudTrail Ingest ARN field.

  5. From the Insights Create New Connector screen, select one of the following methods to create your CloudTrail update:

    • Update trail from console:

      1. Sign in to the AWS Management Console.
      2. Navigate to CloudTrail > Trails > .
      3. In CloudWatch Logs, click Edit.
      4. Select Enabled for CloudWatch Logs.
      5. Select Existing for Log group.
      6. For the Log group name, enter BT-CloudTrailLogGroup.
      7. Select Existing for IAM Role.
      8. For the Role name, select BT-CloudWatch-Role.
      9. Click Save changes.
        The trail is configured to update from Insights.

    • Update trail with AWS CloudShell:

      1. Sign in to the AWS Management Console.
      2. Navigate to CloudTrail > Trails > and copy the name of your existing Organization Trail.
      3. In the AWS CloudFormation template, click the Outputs tab.
      4. Copy the CloudWatchLogsGroupArn and CloudWatchRoleArn values.
      5. Replace placeholders with your actual values in the command below: 
        aws cloudtrail update-trail --name your trail name --cloud-watch-logs-log-group-arn CloudWatchLogsGroupArn --cloud-watch-logs-role-arn CloudWatchRoleArn
      6. Open AWS CloudShell in the AWS Management Console.
      7. Paste and run the command.

  6. Create the connector:

    1. Review all information on the Identity Security InsightsCreate AWS Connector screen.
    2. Click Create Connector.
      The AWS connector is created with an existing CloudTrail enabled for all accounts.

Updated about 1 month ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.