AWS CloudTrail

There are two ways to integrate:

Existing Bucket & SNS - for users who already have CloudTrail configured with S3 and SNS.
Creating a New Trail & Bucket - for users who need to set up a new CloudTrail configuration from scratch.

📘
Prerequisites

Administrator access to the AWS Console

Additional prerequisites with an existing S3 bucket:

An existing CloudTrail configured that is sending data to S3

An SNS topic that publishes events when logs are delivered to the bucket

If you don't have an SNS topic set up, you can create one using the AWS-provided SNS topic template. Note: There will be additional steps in the CloudFormation outputs for adding KMS policy and S3 event notifications

Criteria	Existing Bucket	New Trail
Current Setup	CloudTrail + S3 + SNS already configured	No existing CloudTrail
Resources Created	SQS Queue, IAM Role	S3 Bucket, CloudTrail, SNS, SQS, KMS Key, IAM Role
Template File	cloud_formation_existing_bucket.yaml	cloud_formation.yaml

Integrate an Existing Bucket

Use this option if you already have CloudTrail configured with an S3 bucket and SNS topic. This template creates only the resources needed to grant Nebulock read access to your existing infrastructure.

Download or copy the CloudFormation template and save it as cloud_formation_existing_bucket.yaml on your computer.

Navigate to the CloudFormation service.

Click Create stack > With new resources.

Select Upload a template file, choose the cloud_formation_existing_bucket.yaml file, and click Next.

Configure the stack parameters:

Stack Name: Assign any name you prefer for this deployment (e.g., Nebulock-CloudTrail-Ingest).
External ID: Provide a unique string of your choice; this acts as a shared secret to secure the cross-account connection.
S3 Bucket Name: Enter the name of the existing S3 bucket where your CloudTrail logs are stored.
SNS Topic ARN: Provide the ARN of the SNS topic that is currently receiving S3 event notifications for your log bucket.
KMS Key ARN (Crucial): * If your logs are encrypted, retrieve the ARN from your CloudTrail console under Trail > General details > KMS key ID.
Leave this blank if your bucket uses default SSE-S3 encryption.
Nebulock Account ID: Leave this as the default value provided in the template.
KMS for SQS: Only provide the KMS ARN if your SNS topic is already using that key. This ensures SNS has the necessary permissions to deliver encrypted messages into your new SQS queue.

In Configure stack options, no changes are needed. Click Next and then Create.

Monitor the Events tab to ensure the stack is created correctly.

Once the stack shows CREATE_COMPLETE, navigate to the Outputs tab to find the values needed for the Nebulock integration.

Go to your Nebulock platform and navigate to Integrations > + Add Integration, select "CloudTrail" from the dropdown menu and paste the values you gathered in the previous step.

Create a New Trail & Bucket

Use this option if you do not have an existing CloudTrail configuration. This template creates a complete setup including a new trail, S3 bucket, SNS/SQS queues, and KMS encryption.

Download or copy the CloudFormation template and save it as cloud_formation.yaml on your computer.

Navigate to the CloudFormation service.

Click Create stack > With new resources.

Select Upload a template file, choose the cloud_formation.yaml file, and click Next.

Configure the stack parameters.

Name the stack whatever you like
Change the name of the bucket parameter to something unique
Leave NebulockAccountID as default
Create some unique External ID
Can keep the TrailName as default or use your own naming convention

After submitting, ensure the stack was created correctly.

All the values you need for the Nebulock integration can be found under outputs.

Go to your Nebulock platform and navigate to Integrations > + Add Integration, select "CloudTrail" from the dropdown menu and paste the values you gathered in the previous step.