Integrate with AWS CloudTrail Account

You can integrate with Amazon Web Services (AWS) CloudTrail accounts to log events. You can deploy a stack to subscribe to an SNS topic that gets triggered based on EventBridge events that CloudTrail generates. You can connect to CloudTrail in the following ways:

Connect the AWS CloudTrail account using the CloudFormation template

To deploy the CloudTrail using the CloudFormation template:

  1. Access Tenable.cs.

  2. In the left navigation bar, click Integrations.

  3. To connect your AWS CloudTrail account, click the AWS CloudTrail tile.
    The Deploy cloud trail to enable logging for existing accounts window appears.

  4. Configure the Log Management Account.
    1. In the Configure log management account section, in the first step, click here to deploy the stack.

      Tenable.cs redirects you to the Quick create stack wizard.

      Note: The following steps are performed outside Tenable.cs. If you need more details, refer to the documentation provided by the third-party service.

    2. Sign in to your parent AWS account as Root user.

    3. Select your region (for example, us-east-1).

    4. In the OrganizationId box, type your Organization ID.

    5. In the Stack name section, type the name for the stack.

    6. Use the default values for other parameters.

    7. In the Capabilities section, select the I acknowledge that AWS CloudFormation might create IAM resources. check box to confirm creating the IAM resources with required permissions.

    8. Click Create stack.

      Wait for the stack to get created and its status to become Active. Copy the Stack ARN of the deployed stack from the Stack info tab.

  5. In Tenable.cs, paste the stack ARN value in the Log Management AWS Account Number box.

  6. Click Continue.

  7. In the Configure member accounts section, do the following:

    1. Click the link in Tenable.cs user interface to create a CloudFormation stackset in AWS that creates a read-only role in your member accounts.

      For more information about deploying a stackset in AWS, see Deploy the StackSet to create a read-only role for a member account.

      Note: Copy the stackset URL from the Tenable.cs user interface when provisioning the stackset.
    2. After the stackset is created, type your Stacksets ARN value in Tenable.cs.

  8. Click Connect.

Deploying the stack creates a read-only role for Tenable.cs Console, and sets up Cloud Trail at the organization level.

Connect the AWS CloudTrail account manually

To connect to existing AWS CloudTrail accounts manually:

  1. In the AWS SNS console, create an SNS topic to be used to send CloudWatch events to Tenable.cs.

    See Creating an Amazon SNS topic in the Amazon Simple Notification Service documentation.

  2. Subscribe to the SNS topic with the following values:

    • Protocol: HTTP/HTTPS

    • Endpoint: https://cloud.tenable.com/cns/v1/app/cloudevent/aws?accesstoken=<api-token>&cloud=aws

      Where:

      See Subscribing to an Amazon SNS topic in the Amazon Simple Notification Service documentation.

  3. Create an EventBridge rule to collect all CloudWatch events in your AWS account with the following information:

    • Select the SNS topic created in the previous step as the target for the EventBridge rule.

    • Use the following JSON for Event pattern:

      Copy
      {
        "detail": {
          "readOnly": [false]
        },
        "detail-type": ["AWS API Call via CloudTrail"]
      }

    For more information about creating an EventBridge rule, see Amazon EventBridge User Guide.