Configure CloudTrail for an AWS Organization

You can integrate with Amazon Web Services (AWS) CloudTrail accounts to detect any configuration changes in your AWS environment and log events. To integrate with CloudTrail, you must deploy a stack to subscribe to an SNS topic that gets triggered based on EventBridge events that CloudTrail generates.

Before you begin:

• Sign in to your parent AWS account as an administrator.

• Onboard your AWS cloud accounts.

  For more information, see Onboard AWS Accounts.

• Enable CloudTrail trusted access.

  https://console.aws.amazon.com/organizations/v2/home/services/CloudTrail

To deploy the CloudTrail at an organization level:

1. Access Tenable Cloud Security.

2. In the left navigation bar, click Integrations.

3. To connect your AWS CloudTrail account, click the AWS CloudTrail tile.
   The AWS CloudTrail window appears.

4. Click next to the organization account that you want to configure for AWS CloudTrail and click Configure.

5. In the Select the configuration method section, click the Connect AWS Organization option.

6. Click Continue.

7. In the Select the AWS organization management account to configure section, select the AWS organization account for which you want to configure CloudTrail.

8. Click Continue.

9. In the Configure management account organization trail section, click Launch Stack to create an organization trail.

   Tenable Cloud Security redirects you to the Quick create stack page in AWS. The CloudFormation template for the stack deploys a CloudTrail event-driven pipeline that is used by Tenable Cloud Security to detect configuration changes in your AWS environment.

   1. Review the parameters in the stack template and update, if required.

      For more information, see Parameters for Creating an Organization-Level Stack.

   2. In the Capabilities section, select the I acknowledge that AWS CloudFormation might create IAM resources.check box to confirm creating the IAM resources with required permissions.

   3. Click Create stack.

   Wait for the stack to get created and its status to become CREATE_COMPLETE. Copy the stack ARN of the deployed stack from the Stack info tab.

10. In Tenable Cloud Security, paste the stack ARN in the CloudFormation Stack ARN box.

11. Click Continue.

12. In the Configure member accounts stack set section, click Launch StackSet.

    Tenable Cloud Security redirects you to the Create StackSet wizard in AWS. The CloudFormation template for the StackSet deploys a CloudTrail event-driven pipeline that is used by Tenable Cloud Security to detect configuration changes in your AWS organization.

    1. Review and add the parameters in the template, as required.

    2. Click Next and complete each section of the wizard.

       For more information, see Parameters for Creating an Organization-Level StackSet.

    3. In the Capabilities section, select the I acknowledge that AWS CloudFormation might create IAM resources.check box to confirm creating the IAM resources with required permissions.

    4. Click Submit.

    Wait for the StackSet to get created and its status to become CREATE_COMPLETE. Copy the stack ARN of the deployed StackSet.

13. In Tenable Cloud Security, paste the StackSet ARN in the StackSet ARN box.

14. Click Connect.

    The AWS CloudTrail page appears with the status of the management account updated to Configured. Tenable Cloud Security connects to the AWS account and receives event logs at the organization level. Click Check Status to refresh the status, if required.