Azure Sentinel with AWS CloudTrail

In order to have insights of both Azure Cloud and AWS cloud on single dashboard Azure Sentinel can be integrated with AWS CloudTrail Service. This solution is viable when it comes to multi cloud scenario and client wants to stick to existing SEIM tool which is Azure Sentinel.

With the data received by Azure Sentinel, one can quickly build relevant use cases to monitor the wealth of data provided by CloudTrail, allowing AWS users to benefit the services of a powerful cloud based SIEM product without significant redesign of their AWS logging infrastructure.


Figure 1: Azure Sentinel with Syslog

Azure Sentinel with AWS CloudTrail

What is Azure Sentinel?

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

What is AWS CloudTrail?

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

AWS CloudTrail Documentation

Most of the organizations are adopting the new trend of taking a multi cloud approach. Managing security and auditing in all those cloud environments will be a challenging task for administrators and security engineers. Azure Sentinel gives us an option to be used as a single pane to measure all the security related analytics and detection. Azure Sentinel supports numerous data connectors that we can leverage.

Connect your AWS CloudTrail with Azure Sentinel

Before we start following prerequisites needed

  • Azure Tenant
  • AWS Account

How it Works?

First step is to create a workspace log analytic in Azure portal

Second is to create a role in IAM within AWS Account

Third is to add the ID of Azure Sentinel


Make sure Require External ID is selected and then and enter the External ID (Workspace ID) that can be found in the AWS connector page in the Azure Sentinel portal.

  • Go to the next step which is permission and choose AWSCloudTrailReadOnlyAccess.
  • Then give a role name and click create role -> choose the role just created -> copy the role ARN
  • paste it into the Role to add field in the Azure Sentinel Portal