AWS CloudTrail Integration Guide | PagerDuty

Integration Guide for AWS CloudTrail

Integration Overview

PagerDuty’s integration with AWS CloudTrail enables automated response workflows for activities that could affect compliance and security issues in your AWS ecosystem. PagerDuty provides the opportunity to group alerts alongside other ongoing issues and it has seamless integrations with systems of record like JIRA and SNOW. This is a one-way integration, sending alerts to PagerDuty.

Follow the instructions below to configure AWS CloudTrail with PagerDuty. If you have any questions or need any assistance, please contact our support team at support@pagerduty.com.

In PagerDuty

There are two ways that AWS CloudTrail can be integrated with PagerDuty: via Global Event Routing or through an integration on a PagerDuty Service.

Integrating with Global Event Routing

Integrating with Global Event Routing may be beneficial if you want to build different routing rules based on the payload coming from AWS. You can also leverage features such as scheduling rules or appending information with a note. If you would like to learn more, please visit our article on Global Event Routing.

  1. From the Configuration menu, select Event Rules
  1. On the Event Rules screen, copy your Integration Key.
  1. Once you have your Integration Key, the Integration URL will be:

https://events.pagerduty.com/x-ere/[YOUR_INTEGRATION_KEY_HERE]

You can now proceed to the In the AWS Management Console section below.

Integrating with a PagerDuty Service

Integrating with a PagerDuty Service directly can be beneficial if you don’t need to route alerts from AWS to different responders based on the event payload. You can still use service-level event rules to perform actions such as suppressing.

  1. From the Configuration menu, select Services.
  2. On your Services page: If you are creating a new service for your integration, click +Add New Service. It is recommended that you create a service specifically for AWS CloudTrail notifications.

If you are adding your integration to an existing service, click the name of the service you want to add the integration to. Then click the Integrations tab and click the +New Integration button.

  1. Select AWS CloudTrail from the Integration Type menu and enter an Integration Name.
    If you are creating a new service for your integration, in General Settings, enter a Name for your new service. Then, in Incident Settings, specify the Escalation Policy, Notification Urgency, and Incident Behavior for your new service.
  2. Click the Add Service or Add Integration button to save your new integration. You will be redirected to the Integrations page for your service.
  3. Copy the Integration URL for your new integration.

In the AWS Management Console

  1. In the SNS console, click Create Topic. This will be used to route alerts to PagerDuty from AWS.
  1. Enter a Topic name and Display name, then click Create topic. You may want to name your topic after your PagerDuty service’s name.
  2. Now that your topic has been created, click Create Subscription.
  1. Make sure HTTPS is the selected Protocol. Paste your Integration URL from step 5 (above) into the Endpoint field and click Create Subscription.
  1. Your subscription should be automatically confirmed. Click the refresh icon to make sure the Subscription ID is not PendingConfirmation.
  1. Search for CloudTrail in your AWS Management Console.
  2. Create a trail if you do not already have one. Note that you can optionally send the trail data to a newly created S3 bucket.
  3. In the CloudTrail console, click the trail that you would like to integrate with PagerDuty.
  1. If you have not yet configured CloudTrail to deliver logs to CloudWatch logs, start by pressing the Configure button. If you have already integrated CloudTrail with CloudWatch Logs, choose a log group name and click Continue.
  1. On the next screen, click the Allow button at the bottom right to allow communication between CloudTrail and CloudWatch.
  2. After configuring CloudTrail to send data to CloudWatch Logs, navigate to the CloudWatch console where you can configure an Alarm based on a CloudTrail finding.
  3. In the CloudWatch console, click Logs, select the radio button to the left of the log group that you would like to set a filter on, then click Create Metric Filter.
  1. Define a pattern for the type of activity you’d like to send to PagerDuty and click Assign Metric.
  1. Choose an existing Metric Namespace or create a new one, and name the metric. Then click Create Filter.
  1. After creating the Filter, click Create Alarm.
  1. On the Modify Alarm screen, verify your alarm threshold and settings. Add a new Action to Send Notification(s) when the alarm state reaches ALARM, by clicking + Notification.
  1. Add a notification for the OK state and check that your ALARM state notification is correct. You'll want to ensure both notifications are being sent to the Topic created earlier in step 2 (above). Click Create Alarm to save your changes. You should now see PagerDuty incidents if the alarm thresholds are breached.

Congratulations, you have now integrated AWS CloudTrail with PagerDuty! For more information on how to adjust settings to deduplicate events within PagerDuty, please visit our article on Event Management.