# AWS CloudTrail via CloudWatch

Please use this integration guide to configure CloudTrail alerts so they can be received in Squadcast. This integration should be used only for getting CloudTrail alerts via CloudWatch and an SNS endpoint.

For CloudTrail log alerts, use the [AWS CloudTrail Logs integration](https://github.com/punit-squadcast/sq-doc/blob/main/integrations/alert-source-integrations-native/aws-cloudtrail-logs/README.md).

For regular AWS CloudWatch alarms (like EC2 alerts), use the [AWS CloudWatch Integration](https://github.com/punit-squadcast/sq-doc/blob/main/integrations/alert-source-integrations-native/amazon-cloudwatch-aws/README.md).

## Using AWS CloudTrail via CloudWatch as an Alert Source

1. Navigate to **Services** -> **Service Overview** -> select or search for your Service. Expand the accordion -> In the Alert Sources section, click **Add**.

<figure><img src="https://1574591692-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8TaWz01jmUJl58p4ZVel%2Fuploads%2Fgit-blob-4fbd74e7ca0b30173c47a1d58ed6a0804a0465aa%2FAlert_Sources.png?alt=media&#x26;token=aaca6610-9d18-4dd4-9cf5-320042f326f1" alt="How to configure AWS CloudTrail via CloudWatch integration in Squadcast" width="563"><figcaption></figcaption></figure>

2\. Select **AWS CloudTrail via CloudWatch**. Copy the displayed **Webhook URL** to [configure](#create-cloudtrail-alarm-endpoint-in-aws-sns) it within **AWS CloudTrail via CloudWatch.** Finish by clicking **Add Alert Source** -> **Done**.

<figure><img src="https://1574591692-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8TaWz01jmUJl58p4ZVel%2Fuploads%2Fgit-blob-18d9281ca3269ea8d0eb0c398e09b16bae746564%2FAWS%20CloudTrail%20via%20CloudWatch.png?alt=media&#x26;token=e9a7f576-2a95-4f90-b5b4-4f789bd73b9b" alt="Steps to add AWS CloudTrail via CloudWatch integration to a service in Squadcast" width="563"><figcaption></figcaption></figure>

{% hint style="warning" %} <mark style="color:orange;">**Important**</mark>**:**

When an alert source turns <mark style="color:green;">Active</mark>, it’ll show up under Configured Alert Sources. You can either generate a test alert from the integration or wait for a real-time alert to be generated by the Alert Source.\
\
An Alert Source is <mark style="color:green;">active</mark> if there is a recorded incident via that Alert Source for the Service.
{% endhint %}

## Create CloudTrail Alarm Endpoint in AWS SNS

1. Now log in to your AWS account and proceed to SNS.
2. Click on "**Create topic**" to get the "Create new topic" dialogue box. Fill in the details as per your requirements and then click on "**Create topic**"

<figure><img src="https://1574591692-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8TaWz01jmUJl58p4ZVel%2Fuploads%2Fgit-blob-836508c5e695ec12be0287c5af78a4dec49c689f%2Fcloudwatch_2.png?alt=media&#x26;token=c8381af4-6e65-46fd-9450-bad56e444777" alt="Create CloudTrail Alarm Endpoint - AWS SNS: Create Topic" width="563"><figcaption></figcaption></figure>

3. Now inside the topic, click on "**Create subscription**" to get the "Create subscription" dialog box. Select the protocol as "**HTTPS**" and in the endpoint enter the URL you obtained from the previous step. Finally, click on "**Create subscription**" to create the subscription.

<figure><img src="https://1574591692-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8TaWz01jmUJl58p4ZVel%2Fuploads%2Fgit-blob-0ec13b8d95e532a092872d18acb5dadafcc27eb1%2Fcloudwatch_3.png?alt=media&#x26;token=3408811c-8edb-4425-a6a8-4ab2989a4da3" alt="Create Subscription - AWS SNS: HTTPS Endpoint URL" width="563"><figcaption></figcaption></figure>

<figure><img src="https://1574591692-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8TaWz01jmUJl58p4ZVel%2Fuploads%2Fgit-blob-c9dbc99578774a4d049f28411eda938ac7cd0637%2Fcloudwatch_4.png?alt=media&#x26;token=97fe935a-c6fb-4cc8-87a3-847a4bcb6700" alt="Create Subscription - AWS SNS: HTTPS Endpoint URL" width="563"><figcaption></figcaption></figure>

4. The "**Subscription ID**" for the subscription should immediately change to "**Confirmed**" from "**PendingConfirmation**". Click on the refresh button to verify the same.

<figure><img src="https://1574591692-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F8TaWz01jmUJl58p4ZVel%2Fuploads%2Fgit-blob-75d348621eda5ae089aeaf88fdffeea50ce9fb74%2Fcloudwatch_5.png?alt=media&#x26;token=2dd678d7-f8ce-4b9b-97e7-a6a6f39469d4" alt="Verify Subscription Confirmation - AWS SNS: Refresh Subscription Status" width="563"><figcaption></figcaption></figure>

Then you can [configure your CloudTrail alerts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch-alarms-for-cloudtrail-security-group) and assign this topic as the notification option and you are good to go.

*Have any questions?* [*Ask the community*](https://community.squadcast.com/view/home)*.*