Realm.Security Documentation

Appearance

AWS CloudTrail Integration

Realm can ingest AWS CloudTrail logs delivered to an S3 bucket via SQS event notifications. CloudTrail records API activity and account events across your AWS infrastructure — ingesting these logs into Realm enables detection and investigation of suspicious account behavior.

Realm supports two approaches for receiving notifications when new CloudTrail log files land in S3:

  • Option 1 — Via SQS (S3 → SQS): Configure S3 to send event notifications directly to a new SQS queue.
  • Option 2 — Via SNS & SQS (S3 → SNS → SQS): Subscribe a new SQS queue to an existing SNS topic that already receives S3 events from the CloudTrail bucket.

Both approaches share the same IAM policy and IAM user setup. Follow the relevant section below based on your setup.

Prerequisites

CloudTrail must be configured to deliver logs to an S3 bucket. If you haven't done this yet, follow the step below. If CloudTrail is already writing to an S3 bucket, skip ahead to the relevant option.

Enable CloudTrail and Configure Log Delivery

Skip this step if CloudTrail is already delivering logs to an S3 bucket. Copy the bucket name and proceed to your chosen option.

  1. Go to CloudTrail > Trails
  2. Click Create trail
  3. Fill out the trail details:

Trail name: rlm-cloudtrail
Storage location: Create new S3 bucket
Trail log bucket and folder: aws-cloudtrail-logs-<account_id>

  1. Under CloudWatch Logs, leave disabled unless you require CloudWatch integration
  2. Click Next
  3. Select the event types to log:

Check Management events
Check Read and Write under API activity
Optionally check Data events if you want S3 or Lambda data plane activity

  1. Click Next, then Create trail
  2. Copy the S3 bucket name shown on the trail detail page — you will need it in the steps below

Option 1: Via SQS (S3 → SQS)

Use this approach if your CloudTrail S3 bucket does not already have an SNS topic configured for event notifications.

Step 1: Create SQS Queue

  1. Go to SQS > Queues
  2. Click Create Queue
  3. Enter the queue name:

Name: rlm-cloudtrail-notifications

  1. Click Create Queue
  2. Copy the ARN of the queue — you will need it in the steps below

Step 2: Create IAM Policy

  1. Go to IAM > Policies
  2. Click Create Policy
  3. Click JSON and replace the contents with the following, substituting <s3_bucket_arn> with the ARN of your CloudTrail S3 bucket and <sqs_queue_arn> with the SQS queue ARN from Step 1
json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "s3ReadCloudTrailObjects",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "<s3_bucket_arn>",
                "<s3_bucket_arn>/*"
            ]
        },
        {
            "Sid": "sqsCloudTrailNotifications",
            "Effect": "Allow",
            "Action": [
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage"
            ],
            "Resource": [
                "<sqs_queue_arn>"
            ]
        }
    ]
}
  1. Click Next
  2. Enter the policy details:

Name: rlm-cloudtrail-read
Description: Grant read access to CloudTrail S3 bucket and permission to receive notifications from the SQS queue.

  1. Click Create Policy

Step 3: Create IAM User

  1. Go to IAM > Users and click Create User
  2. Enter the username:

Name: rlm-cloudtrail-user

  1. Click Next
  2. Select Attach policies directly
  3. Search for and select the rlm-cloudtrail-read policy created in Step 2
  4. Click Next, then Create user
  5. Open the user that was just created and copy its ARN — you will need it in Step 4
  6. Go to Security credentials and click Create access key
  7. Select Third-party service, check the confirmation checkbox, then click Next
  8. Enter a description:

Credentials for Realm.Security to read CloudTrail logs from S3

  1. Click Create access key
  2. Copy and save the Access Key and Secret access key — you will need these when configuring the CloudTrail input feed in Realm

Step 4: Update SQS Access Policy

The SQS queue policy must allow S3 to publish notifications to the queue and allow the IAM user to read from it.

  1. Go to SQS > Queues
  2. Select the rlm-cloudtrail-notifications queue
  3. Go to Queue policies and click Edit
  4. Replace the policy JSON with the following, substituting <sqs_queue_arn> with the SQS queue ARN and <iam_user_arn> with the IAM user ARN from Step 3
json
{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "AllowS3Publish",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "<sqs_queue_arn>"
    },
    {
      "Sid": "AllowRealmUser",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<iam_user_arn>"
      },
      "Action": [
        "sqs:ChangeMessageVisibility",
        "sqs:DeleteMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "<sqs_queue_arn>"
    }
  ]
}
  1. Click Save

Step 5: Configure S3 Event Notifications

  1. Go to S3 > Buckets and select your CloudTrail log bucket
  2. Go to Properties > Event notifications
  3. Click Create event notification
  4. Fill out the details:

Event name: RlmCloudTrailCreateEvents
Check All object create events
Destination: SQS Queue
Select rlm-cloudtrail-notifications from the dropdown

  1. Click Save changes

Step 6: Configure the Input Feed in Realm

  1. In Realm, go to Sources
  2. Click Add Source and select AWS Cloudtrail
  3. Fill in the connection details:

Name: AWS CloudTrail
SQS Queue URL: The URL of the rlm-cloudtrail-notifications queue
Access Key: The access key from Step 3
Secret Access Key: The secret access key from Step 3

  1. Click Save

Realm will begin polling the SQS queue and fetching CloudTrail log files from S3 as they arrive.

Option 2: Via SNS → SQS

Use this approach to subscribe a new SQS queue to an SNS topic that already receives S3 ObjectCreate notifications from the CloudTrail bucket.

Step 1: Create and Configure SNS Topic

Skip this step if you already have an SNS topic configured to receive S3 ObjectCreate notifications from your CloudTrail bucket. Copy its ARN and proceed to Step 2.

Create the SNS topic:

  1. Go to SNS > Topics
  2. Click Create topic
  3. Select Standard as the type
  4. Enter the topic name:

Name: rlm-cloudtrail-notifications-topic

  1. Click Create topic
  2. Copy the ARN of the topic — you will need it in the steps below

Update the SNS topic access policy:

The SNS topic policy must allow S3 to publish to it.

  1. On the topic details page, go to Access policy and click Edit
  2. Replace the policy JSON with the following, substituting <sns_topic_arn> with the SNS topic ARN and <s3_bucket_arn> with the ARN of your CloudTrail S3 bucket
json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3Publish",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "sns:Publish",
      "Resource": "<sns_topic_arn>",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "<s3_bucket_arn>"
        }
      }
    }
  ]
}
  1. Click Save changes

Configure S3 to send ObjectCreate notifications to the SNS topic:

  1. Go to S3 > Buckets and select your CloudTrail log bucket
  2. Go to Properties > Event notifications
  3. Click Create event notification
  4. Fill out the details:

Event name: RlmCloudTrailToSnsEvents
Check All object create events
Destination: SNS Topic
Select rlm-cloudtrail-notifications-topic from the dropdown

  1. Click Save changes

Step 2: Create SQS Queue

Follow the same steps as Step 1 in Option 1 above to create a queue named rlm-cloudtrail-notifications and copy its ARN.

Step 3: Create IAM Policy

Follow the same steps as Step 2 in Option 1 above to create the rlm-cloudtrail-read policy.

Step 4: Create IAM User

Follow the same steps as Step 3 in Option 1 above. Save the IAM user ARN, Access Key, and Secret access key.

Step 5: Update SQS Access Policy

The SQS queue policy must allow the SNS topic to publish messages to the queue and allow the IAM user to read from it.

  1. Go to SQS > Queues
  2. Select the rlm-cloudtrail-notifications queue
  3. Go to Queue policies and click Edit
  4. Replace the policy JSON with the following, substituting <sqs_queue_arn> with the SQS queue ARN, <sns_topic_arn> with the SNS topic ARN from Step 1, and <iam_user_arn> with the IAM user ARN from Step 4
json
{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "AllowSNSPublish",
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "<sqs_queue_arn>",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "<sns_topic_arn>"
        }
      }
    },
    {
      "Sid": "AllowRealmUser",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<iam_user_arn>"
      },
      "Action": [
        "sqs:ChangeMessageVisibility",
        "sqs:DeleteMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "<sqs_queue_arn>"
    }
  ]
}
  1. Click Save

Step 6: Subscribe SQS Queue to SNS Topic

  1. Go to SNS > Topics
  2. Select the SNS topic from Step 1
  3. Click Create subscription
  4. Fill out the details:

Protocol: Amazon SQS
Endpoint: <sqs_queue_arn>

  1. Click Create subscription

The subscription will be automatically confirmed since both resources are in the same AWS account.

Step 7: Configure the Input Feed in Realm

Follow the same steps as Step 6 in Option 1 above, using the Access Key and Secret access key from Step 4.