Amazon CloudTrail Integration

Amazon CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

OpsGenie is an alert and notification management solution that is highly complementary to Amazon CloudTrail. With this integration, OpsGenie alerts can be created for Amazon CloudTrail notifications.

What does OpsGenie offer to Amazon CloudTrail users?

By using OpsGenie Amazon CloudTrail Integration, you can forward Amazon CloudTrail notifications to OpsGenie. OpsGenie can determine the right people to notify based on on-call schedules, using email, text messages (SMS), phone calls and iOS & Android push notifications, and escalating alerts until the alert is acknowledged or closed.

Functionality of the integration

  • When Amazon CloudTrail receives a new log, an alert is created in OpsGenie automatically through the integration.

Add Amazon CloudTrail Integration to OpsGenie

  1. Please create an OpsGenie account if you haven't done already.
  2. Go to OpsGenie Amazon CloudTrail Integration page.
  3. Specify who should be notified for Amazon CloudTrail alerts using the "Teams" field. Auto-complete suggestions will be provided as you type.
  4. Click on "Save Integration".

Configuration in Amazon CloudTrail

  1. Go to SNS dashboard. From dashboard click on the Create Topic action.
  1. Fill the required fields and click on Create topic.
  1. From Topic details page click on Create subscription.
  1. Choose Protocol as HTTPS and to Endpoint field paste the URL from the OpsGenie Amazon CloudTrail integration page (There is a sample in the section Add Amazon CloudTrail Integration to OpsGenie). Then click Create subscription.

Upon successfully configuring SNS subscription to OpsGenie a confirmation alert should be created in OpsGenie.

5) Configure Amazon SNS notifications for Amazon CloudTrail to send notifications to the SNS topic you've created.
6) From Amazon CloudTrail Console navigate to Trails. Add a new trail or use an existing one.

7) In S3 tab, click Advanced and from there choose your SNS topic then click Save.

Sample Payload from OpsGenie Amazon CloudTrail Integration

  "Type": "Notification",
  "MessageId": "d7b0abd-f459-5627-b6e7-5a4cc1f84dcd",
  "TopicArn": "arn:aws:sns:us-west-2:345678987654:og",
  "Message": "{\"s3Bucket\":\"opsgenietest\",\"s3ObjectKey\":[\"AWSLogs/345678987654/CloudTrail/us-east-1/2017/01/12/345678987654_CloudTrail_us-east-1_20170112T0740Z_Q8aey31rGgtoAp9d.json.gz\"]}",
  "Timestamp": "2017-01-12T07:42:25.469Z",
  "SignatureVersion": "1",
  "Signature": "OAXw/gb6ciZSbwZ33sXo1Moh7U5/1m4uBGnqQmbwL8AGuuOa2XgUzxYAMpQUBeYo9sSaHjUf0Qf4BMtlRQ5pc4ghkW0LWKyHTIikKa4MFjlrgMLf7AaYJgh/5bDhorgdiXSk04PD/me2M9Sv85xZufEj9V0ys1PnwP6X877YFKz6iDNQ9Lyi1woaRmtCPmEtbpwjWYQJRlTpEv+exuqVjm7bgLKirCTfTV+1DjB5kfFdK4X8Py9lpFMyaIiT24yffTAMLssp8wcGb8ygGxX9kD0JRfIlnAtM3Mn9NI7jmCXiE4iNpISMMlNSDPrUuwbcd9H9czUSBzXrt3ArMraLdQ==",
  "SigningCertURL": "",
  "UnsubscribeURL": ""

This payload is parsed by OpsGenie as:

  "s3Bucket": "opsgenietest",
  "s3ObjectKey": "AWSLogs/345678987654/CloudTrail/us-east-1/2017/01/12/345678987654_CloudTrail_us-east-1_20170112T0740Z_Q8aey31rGgtoAp9d.json.gz"

