Amazon Web Services

Depending on your preference for CloudTrail log collection, you can configure your Amazon Web Services (AWS) connector in multiple ways.

Prerequisites

You must have the ability to create IAM roles and policies in your AWS Management Account.
You must have familiarity with AWS CloudFormation and CloudTrail services.

Configuration

Create a new AWS connector configuration:
1. From Insights Home, select > Connectors.
  The Connectors page displays.
2. Click Total configured.
3. Select Create Connector > AWS.
4. Enter a human-readable name for your connector.
Obtain your Root Organization ID from AWS:
1. Follow the AWS documentation to view the AWS organization root details.
2. In the Root details section, copy the Root Organizational Unit ID (for example, r-ad12).
Create the CloudFormation stack:
1. In Insights, select the region to create the CloudFormation stack.
2. Select whether to enable AI agents collection.
3. Click the CloudFormation Template link.

ℹ️
The template creates an IAM role and policy for Insights to use when accessing your AWS resources. To use the template provided by the AWS connector, a credit card must be associated with your AWS account.

The AWS CloudFormation Create Stack wizard opens with pre-populated parameters.

In the wizard's Parameters section, verify the following parameters:
- RootOrgUnitId: Paste the Root Organizational Unit ID copied from the Root details section in AWS.
- BtConnectorExternalID: Ensure this matches the External ID provided by Identity Security Insights (for example, abcdef-1234567890/ABCDEF).
- CreateAccessAnalyzer: Determine whether to create access analyzer in the management account.
- EnableAIAgents: Determine whether to allow collecting AI Agent data, including AI data events in.
- EnableCloudTrail: Determine whether to enable organization CloudTrail in the current stack region.
  - Select Yes, create CloudTrail to have the stack create a new organization CloudTrail.
  - Select Yes, use existing CloudTrail if you already have an organization CloudTrail in the current region.
  - Select Yes, use existing CloudTrails in multiple accounts if CloudTrail is configured at the account level across multiple accounts in the current region.
  - Select No if you do not want to enable CloudTrail log collection.
- MemberAccountsWithCloudTrail: The list of member accounts having CloudTrail to integrate with.
  - Fill this parameter only if you select Yes, use existing CloudTrails in multiple accounts for EnableCloudTrail.
In the wizard's Capabilities section, check the required boxes to acknowledge that AWS CloudFormation may create IAM resources.
Click Create stack.
Stack creation may take several minutes.
Select the CloudTrail log collection preference that correlates to your EnableCloudTrail selection in the stack parameters.
Obtain the required values for the connector:
1. Once the stack creation completes, in the AWS CloudFormation template, click the Outputs tab.
2. Copy the BtOrgRoleArn value.
3. In Insights, paste the BtOrgRoleArn value in the IAM Role ARN field (if CloudTrail log collection is enabled).
4. Copy the CloudTrailBucketArn value.
5. In Insights, paste the CloudTrailBucketArn value in the CloudTrail Ingest ARN field.
Create the connector:
1. Review all information on the Identity Security Insights Create AWS Connector panel.
2. Click Create Connector.

Update existing CloudTrail configuration

If Use an existing trail for an AWS Organization is selected for CloudTrail log collection preference, you can update the trail configuration using the AWS Management Console or AWS CloudShell.

Option 1: Update trail from console

Option 1

Sign in to the AWS Management Console.
Go to CloudTrail > Trails > existing trail.
In CloudWatch Logs, click Edit.
Select Enabled for CloudWatch Logs.
Select Existing for Log group.
For the Log group name, enter BT-CloudTrailLogGroup.
Select Existing for IAM Role.
For the Role name, select BT-CloudWatch-Role.

If AI agents collection is enabled:

In Data events, click Edit.
In Events, click the checkbox for Data Events if not enabled.

⚠️
If there are existing basic event selectors, the following steps will remove the existing event selectors.

In Data events, click Switch to advanced event selectors if Basic event selectors are enabled.

Add the following data event types:

Resource Type
AWS::Bedrock::AgentAlias
AWS::Bedrock::AsyncInvoke
AWS::Bedrock::FlowAlias
AWS::Bedrock::Guardrail
AWS::Bedrock::InlineAgent
AWS::Bedrock::KnowledgeBase
AWS::Bedrock::Model
AWS::Bedrock::PromptVersion
AWS::Bedrock::Session
AWS::Bedrock::FlowExecution
AWS::Bedrock::AutomatedReasoningPolicy
AWS::Bedrock::AutomatedReasoningPolicyVersion
AWS::Bedrock::DataAutomationProject
AWS::Bedrock::DataAutomationInvocation
AWS::Bedrock::DataAutomationProfile
AWS::Bedrock::Blueprint
AWS::BedrockAgentCore::CodeInterpreter
AWS::BedrockAgentCore::Browser
AWS::BedrockAgentCore::WorkloadIdentity
AWS::BedrockAgentCore::WorkloadIdentityDirectory
AWS::BedrockAgentCore::TokenVault
AWS::BedrockAgentCore::APIKeyCredentialProvider
AWS::BedrockAgentCore::Runtime
AWS::BedrockAgentCore::RuntimeEndpoint
AWS::BedrockAgentCore::Gateway
AWS::BedrockAgentCore::Memory
AWS::BedrockAgentCore::OAuth2CredentialProvider
AWS::BedrockAgentCore::BrowserCustom
AWS::BedrockAgentCore::CodeInterpreterCustom
AWS::Bedrock::Tool

Click Save changes.

Option 2: Update trail with AWS CloudShell

Option 2

⚠️
If the trail does not use Advanced event selectors, the script skips updating AI agent event selectors to avoid unintentionally modifying existing CloudTrail configurations. Configure data events manually as instructed in Option 1.

Enter the trail name.
Download the script.
Upload the script to AWS CloudShell.
Enter chmod +x bt_updatecloudtrail.sh to allow script execution.
Enter the provided commands to run the script.
Enter rm bt_updatecloudtrail.sh to remove the script after execution.