Configure Trail CloudTrail Console
After creating a CloudTrail trail, you must configure S3 bucket permissions so SailPoint Entro can securely read audit logs. This enables correlation between AWS events and secret activity within SailPoint Entro.
Navigation Path
AWS Console → CloudTrail → Trails → Select Trail → Storage Location (S3 Bucket)
-
Open the CloudTrail Console
-
Sign in to the AWS Management Console.
-
Navigate to CloudTrail → Trails.
-
Select the trail you previously created (e.g.
EntroTrail). -
In the Storage location section, click the linked S3 bucket name.
-
-
Edit the S3 Bucket Permissions
-
In the S3 Console, open the Permissions tab for your log bucket.
-
Scroll to Bucket policy and click Edit.
-
Add the following JSON snippet to grant SailPoint Entro read access (replace placeholders with your values):
s3-bucket-policy.json
-
-
Save and Validate the Policy
-
Click Save Changes.
-
Return to CloudTrail → Trails.
-
Select your trail and confirm the S3 bucket path matches your intended destination.
-
Wait a few minutes for AWS to validate and apply the new permissions.
-
-
Confirm Log Delivery and Access
-
Open the S3 bucket in AWS Console.
-
Ensure new log files are appearing under your account folder (
AWSLogs/<account-id>/CloudTrail/...). -
In SailPoint Entro, verify that CloudTrail events are being ingested.
-
-
Validation in SailPoint Entro
In the SailPoint Entro Dashboard:
-
Go to Integrations → AWS → CloudTrail S3 Setup.
-
Confirm the CloudTrail integration status = Connected.
-
Check the Activity Logs tab for correlated events.
-
Troubleshooting
SailPoint Entro cannot read logs
Cause:
- Incorrect bucket policy
Resolution:
- Ensure the SailPoint Entro role and AWS Account ID are listed as a principal in the bucket policy (see the JSON snippet above).
Logs missing in S3
Cause:
- CloudTrail misconfiguration
Resolution:
- Verify CloudTrail log delivery is enabled and the configured bucket path is correct.
Partial access
Cause:
- Missing
s3:ListBucketpermission
Resolution:
- Add the missing
s3:ListBucketaction in the bucket policy or IAM policy as appropriate.
Security Notes
- SailPoint Entro uses read-only access to S3 log data.
- No log modification, deletion, or external export occurs.
- Access is authenticated through AWS STS AssumeRole and encrypted via HTTPS/TLS.