AWS CloudTrail Integration

This guide covers how to connect AWS CloudTrail to KYRA MDR for real-time monitoring of your AWS environment. KYRA MDR analyzes CloudTrail events for unauthorized access, misconfigurations, and suspicious API activity.

Prerequisites

An active AWS account with administrative access (or IAM permissions to create roles and S3 bucket notifications)
CloudTrail enabled in your AWS account (enabled by default for management events)
A KYRA MDR account with an active subscription

Architecture Overview

AWS CloudTrail → S3 Bucket → SNS Topic → KYRA Cloud Sensor → KYRA MDR Platform
                                              (polls S3)

KYRA MDR uses a cross-account IAM role to read CloudTrail logs from your S3 bucket. Your data never leaves your control until KYRA reads it.

Step 1: Create an IAM Role for KYRA

Create a cross-account IAM role that allows KYRA MDR to read your CloudTrail logs.

Using AWS Console

Go to IAM > Roles > Create Role
Select Another AWS account
Enter KYRA MDR’s AWS Account ID: 123456789012 (provided in Console > Settings > Cloud Integrations)
Check Require external ID and enter the External ID shown in the Console
Click Next and attach the policy below

IAM Policy

Create a custom policy named KYRAMDRCloudTrailReadOnly:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudTrailBucketAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-cloudtrail-bucket",
        "arn:aws:s3:::your-cloudtrail-bucket/AWSLogs/*"
      ]
    },
    {
      "Sid": "AllowSNSSubscription",
      "Effect": "Allow",
      "Action": [
        "sns:Subscribe",
        "sns:ConfirmSubscription"
      ],
      "Resource": "arn:aws:sns:*:*:your-cloudtrail-topic"
    },
    {
      "Sid": "AllowCloudTrailDescribe",
      "Effect": "Allow",
      "Action": [
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:LookupEvents"
      ],
      "Resource": "*"
    }
  ]
}

Trust Policy

The role’s trust policy should look like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/KYRACloudSensor"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "your-external-id-from-console"
        }
      }
    }
  ]
}

Using AWS CLI

# Create the policy
aws iam create-policy \
  --policy-name KYRAMDRCloudTrailReadOnly \
  --policy-document file://kyra-policy.json

# Create the role with trust policy
aws iam create-role \
  --role-name KYRAMDRRole \
  --assume-role-policy-document file://kyra-trust-policy.json

# Attach the policy
aws iam attach-role-policy \
  --role-name KYRAMDRRole \
  --policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/KYRAMDRCloudTrailReadOnly

Step 2: Configure CloudTrail

If you don’t already have a multi-region CloudTrail trail, create one:

Create a Trail (if needed)

aws cloudtrail create-trail \
  --name kyra-mdr-trail \
  --s3-bucket-name your-cloudtrail-bucket \
  --is-multi-region-trail \
  --enable-log-file-validation \
  --sns-topic-name your-cloudtrail-topic

aws cloudtrail start-logging --name kyra-mdr-trail

Enable Data Events (Optional but Recommended)

Data events provide visibility into S3 object-level and Lambda invocation activity:

aws cloudtrail put-event-selectors \
  --trail-name kyra-mdr-trail \
  --event-selectors '[
    {
      "ReadWriteType": "All",
      "IncludeManagementEvents": true,
      "DataResources": [
        {
          "Type": "AWS::S3::Object",
          "Values": ["arn:aws:s3"]
        },
        {
          "Type": "AWS::Lambda::Function",
          "Values": ["arn:aws:lambda"]
        }
      ]
    }
  ]'

Note: Data events can generate high volume and incur additional CloudTrail costs. Start with management events only and add data events as needed.

Step 3: Connect in KYRA Console

Open the KYRA MDR Console
Go to Settings > Integrations > Add Integration
Select AWS CloudTrail
Enter:
- AWS Account ID: Your 12-digit AWS account ID
- IAM Role ARN: arn:aws:iam::YOUR_ACCOUNT_ID:role/KYRAMDRRole
- S3 Bucket Name: Your CloudTrail S3 bucket
- S3 Region: The bucket’s region (e.g., ap-northeast-2 for Seoul)
- SNS Topic ARN (optional): For real-time notifications
Click Test Connection — KYRA will attempt to assume the role and list the bucket
Click Save

Step 4: Verify Events

Check Integration Status

In the Console, go to Settings > Integrations. The AWS CloudTrail integration should show:

Status: Connected
Last Sync: Within the last 5 minutes
Events Processed: Increasing count

Search for AWS Events

Go to Log Search
Filter by source_type:aws-cloudtrail
You should see events like:
- ConsoleLogin — AWS Console sign-ins
- AssumeRole — Role assumption events
- RunInstances — EC2 instance launches
- CreateBucket — S3 bucket creation

Generate a Test Event

# Create and delete a test security group (generates CloudTrail events)
SG_ID=$(aws ec2 create-security-group --group-name kyra-test --description "KYRA test" --output text --query 'GroupId')
aws ec2 delete-security-group --group-id $SG_ID

Within 5-15 minutes (CloudTrail delivery delay), you should see CreateSecurityGroup and DeleteSecurityGroup events in KYRA MDR.

Required Permissions Summary

Permission	Purpose
`s3:GetObject`	Read CloudTrail log files from S3
`s3:ListBucket`	List new log files for ingestion
`sns:Subscribe`	Subscribe to real-time CloudTrail notifications
`cloudtrail:DescribeTrails`	Discover trail configuration
`cloudtrail:GetTrailStatus`	Check trail health
`cloudtrail:LookupEvents`	Query recent events for initial sync

KYRA MDR uses read-only access. We never modify your AWS resources or CloudTrail configuration.

Detection Rules

KYRA MDR includes built-in detection rules for AWS CloudTrail:

Detection	Event Names	MITRE ATT&CK	Description
Root Account Usage	`ConsoleLogin` (root)	T1078.004	Root account sign-in detected
IAM User Created	`CreateUser`	T1136.003	New IAM user created
MFA Disabled	`DeactivateMFADevice`	T1556	MFA removed from account
Security Group Open	`AuthorizeSecurityGroupIngress`	T1562.007	0.0.0.0/0 ingress rule added
CloudTrail Disabled	`StopLogging`	T1562.008	Trail logging stopped
S3 Bucket Public	`PutBucketPolicy`	T1530	Bucket policy allows public access
Unusual Region	Any	T1535	API calls from unusual AWS regions
Access Key Leaked	`GetCallerIdentity` from unusual IP	T1528	Possible leaked credentials

Multi-Account Setup

For AWS Organizations with multiple accounts, you can use a centralized CloudTrail with an organization trail:

Enable an Organization Trail in the management account
All member account events flow to a single S3 bucket
Create the KYRA IAM role in the management account only
KYRA MDR will ingest events from all accounts

aws cloudtrail create-trail \
  --name kyra-org-trail \
  --s3-bucket-name your-org-cloudtrail-bucket \
  --is-organization-trail \
  --is-multi-region-trail

Troubleshooting

Connection Test Fails

Role ARN correct? Double-check the account ID and role name
External ID matches? The External ID in the trust policy must match the Console
Trust policy? The principal must be KYRA’s AWS account, not your own
S3 bucket exists? Verify the bucket name and region

No Events Appearing

CloudTrail active? Run aws cloudtrail get-trail-status --name your-trail — check IsLogging: true
S3 permissions? Verify s3:GetObject and s3:ListBucket on the correct bucket and path
Delivery delay: CloudTrail delivers logs to S3 every ~5-15 minutes — events are not real-time
Region mismatch? Ensure the S3 region in the Console matches the actual bucket region

High Costs

CloudTrail management events are free for the first trail. Data events incur costs per 100,000 events. To reduce costs:

Start with management events only (default)
Use event selectors to filter specific S3 buckets or Lambda functions
Exclude read-only data events if write events are sufficient