Skip to content

Configure Trail CloudTrail Console

After creating a CloudTrail trail, you must configure S3 bucket permissions so SailPoint Entro can securely read audit logs. This enables correlation between AWS events and secret activity within SailPoint Entro.


AWS Console → CloudTrail → Trails → Select Trail → Storage Location (S3 Bucket)


  1. Open the CloudTrail Console

    • Sign in to the AWS Management Console.

    • Navigate to CloudTrail → Trails.

    • Select the trail you previously created (e.g. EntroTrail).

    • In the Storage location section, click the linked S3 bucket name.

  2. Edit the S3 Bucket Permissions

    • In the S3 Console, open the Permissions tab for your log bucket.

    • Scroll to Bucket policy and click Edit.

    • Add the following JSON snippet to grant SailPoint Entro read access (replace placeholders with your values):

    s3-bucket-policy.json

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::<ENTRO_ACCOUNT_ID>:root"
          },
          "Action": [
            "s3:GetObject",
            "s3:ListBucket"
          ],
          "Resource": [
            "arn:aws:s3:::<cloudtrail-logs-bucket>",
            "arn:aws:s3:::<cloudtrail-logs-bucket>/*"
          ]
        }
      ]
    }
    
  3. Save and Validate the Policy

    • Click Save Changes.

    • Return to CloudTrail → Trails.

    • Select your trail and confirm the S3 bucket path matches your intended destination.

    • Wait a few minutes for AWS to validate and apply the new permissions.

  4. Confirm Log Delivery and Access

    • Open the S3 bucket in AWS Console.

    • Ensure new log files are appearing under your account folder (AWSLogs/<account-id>/CloudTrail/...).

    • In SailPoint Entro, verify that CloudTrail events are being ingested.

  5. Validation in SailPoint Entro

    In the SailPoint Entro Dashboard:

    • Go to Integrations → AWS → CloudTrail S3 Setup.

    • Confirm the CloudTrail integration status = Connected.

    • Check the Activity Logs tab for correlated events.


Troubleshooting

SailPoint Entro cannot read logs

Cause:

  • Incorrect bucket policy

Resolution:

  • Ensure the SailPoint Entro role and AWS Account ID are listed as a principal in the bucket policy (see the JSON snippet above).

Logs missing in S3

Cause:

  • CloudTrail misconfiguration

Resolution:

  • Verify CloudTrail log delivery is enabled and the configured bucket path is correct.

Partial access

Cause:

  • Missing s3:ListBucket permission

Resolution:

  • Add the missing s3:ListBucket action in the bucket policy or IAM policy as appropriate.

Security Notes

  • SailPoint Entro uses read-only access to S3 log data.
  • No log modification, deletion, or external export occurs.
  • Access is authenticated through AWS STS AssumeRole and encrypted via HTTPS/TLS.