Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About AWS CloudTrail

CloudTrail evidence typically includes management events via LookupEvents plus configuration metadata for trails. LookupEvents covers roughly the last 90 days - older analytics require S3 archive permissions (s3:GetObject) and possibly kms:Decrypt when trails use customer-managed CMKs.

How it works

Attach AWSCloudTrail_ReadOnlyAccess. Add the optional inline kms:Decrypt statement only when you deliberately ingest encrypted trail archives from S3.
DetailValue
CategoryAudit logging
AuthenticationCross-account IAM role

Prerequisites

  • IAM rights to create roles.
  • Awareness whether audits demand API lookups only vs S3 archive depth.

Connect AWS CloudTrail to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS CloudTrail

Find AWS CloudTrail (use Category or Search by name or description). On that card, turn on the toggle. Leave the wizard tab open.
3

Copy the trust policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start Create role

Open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 (or the ID Iru shows). Enable Require external ID and paste the external ID from Iru.
3

Attach CloudTrail read access

Attach AWSCloudTrail_ReadOnlyAccess.
4

Optional - add KMS decrypt for encrypted trail archives

If your trail archives use a customer-managed KMS key, add an inline policy (replace REGION, ACCOUNT, CMK-ID):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["kms:Decrypt"],
      "Resource": "arn:aws:kms:REGION:ACCOUNT:key/CMK-ID"
    }
  ]
}
5

Name the role and copy the ARN

Finish the role, then copy the Role ARN.
6

Verify the trust relationship

Confirm Trust relationships matches the wizard JSON.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Paste the Role ARN into the connector where the wizard prompts for it.
2

Confirm the source is Active

Submit until AWS CloudTrail shows Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Use S3 archive ingestion paths - requires s3:GetObject + optional kms:Decrypt.
External ID mismatch.

Considerations

Multi-Region / Organization trails affect where…

Multi-Region / Organization trails affect where APIs must run - mirror AWS best practices for centralized logging.

See also