Skip to content

AWS CloudTrail S3 Setup

The AWS CloudTrail integration enables SailPoint Entro to correlate secret activity with AWS audit logs. By connecting your CloudTrail S3 bucket, SailPoint Entro can detect when secrets are created, modified, or accessed - improving visibility into credential usage and anomaly detection.

Overview

Integrating AWS CloudTrail with SailPoint Entro allows:

  • Correlation between discovered secrets and API activity.

  • Identification of access anomalies tied to NHIs.

  • Contextual enrichment of incident investigations.

  • Optional continuous validation of secret rotation and key management.

The integration uses read-only permissions to access S3 log data. No log files are modified, and no data is exported outside your AWS environment.

Management → Accounts & Integrations → Add New Account (top right) → AWS → Manual Onboarding → CloudTrail S3 Setup

Architecture Diagram

Entro Security Cloud
   ↕ (HTTPS/TLS)
AWS Account
   ├── CloudTrail
   │     └── S3 Bucket (Log Delivery)
   └── IAM Role (EntroRoleAWS)

Prerequisites

  • An existing AWS CloudTrail Trail configured to deliver logs to an S3 bucket.

  • The EntroAWSIntegrationRole IAM Role must include S3 read-only access.

  • Outbound HTTPS/TLS connectivity from SailPoint Entro to AWS APIs.

  • Permission to update the S3 bucket policy if access must be granted manually.

Permissions Required

SailPoint Entro needs the following S3 read-only permissions to collect and process CloudTrail logs:

S3 permissions (example)

{
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:ListBucket"
  ],
  "Resource": [
    "arn:aws:s3:::<cloudtrail-logs-bucket>",
    "arn:aws:s3:::<cloudtrail-logs-bucket>/*"
  ]
}

Setup Steps

  1. Create a Trail (if none exists)

    If CloudTrail is not yet configured, follow: Creating a Trail with the CloudTrail Console →

  2. Configure the Trail for SailPoint Entro Access

    If you already have a CloudTrail trail, configure it to allow SailPoint Entro to read logs from the S3 bucket: Configure a Trail with the CloudTrail Console →

  3. Validate in SailPoint Entro

    After setup:

    • Return to SailPoint Entro → Integrations → AWS.

    • Confirm CloudTrail S3 integration shows as Connected.

    • Verify event correlation in the Activity Logs or Inventory → Secrets tab.

Security Notes

  • SailPoint Entro never modifies or exports CloudTrail logs.
  • Access is limited to metadata analysis and contextual event mapping.
  • S3 objects remain within your AWS environment.
  • All communications use secure HTTPS/TLS endpoints.

Troubleshooting

Issue Cause Resolution
SailPoint Entro cannot access logs Missing S3 permissions Add s3:GetObject and s3:ListBucket to the IAM Policy
No CloudTrail data visible Trail not delivering to S3 Verify CloudTrail delivery settings
Partial event correlation Incorrect S3 path prefix Confirm SailPoint Entro has the correct log folder path