This CloudTrail integration is specifically designed to work with the destination bucket to which CloudTrail writes its logs.

It is based on CloudTrail’s naming convention and path structure.

If you’re looking to ship CloudTrail logs from a different bucket, please use the S3 Bucket shipping method instead.


Before you begin:

  • If you plan on using an access key to authenticate your connection, you’ll need to set the s3:ListBucket and s3:GetObject permissions for the required S3 bucket.

  • If you plan on using an IAM role to authenticate your connection, you can get the role policy by filling out the bucket information and clicking the “Get the role policy” button.

  • File names in ascending alphanumeric order. This is important because the S3 fetcher’s offset is determined by the name of the last file fetched. We recommend using standard AWS naming conventions to determine the file name ordering and to avoid log duplication.

Send your logs to an S3 bucket fetches your CloudTrail logs from an S3 bucket.

For help with setting up a new trail, see Overview for Creating a Trail from AWS.

Add your S3 bucket information

To use the S3 fetcher, log into your account, and go to the CloudTrail log shipping page.

  1. Click + Add a bucket
  2. Select your preferred method of authentication - an IAM role or access keys.

The configuration wizard will open.

  1. Provide the S3 bucket name
  2. Provide your Prefix. That is your CloudTrail path. See further details below.
  3. There is no Region selection box because it is not needed. will pull data from all regions in AWS for the specified bucket and account.
  4. Save your information.

S3 bucket configuration wizard

Getting the information from your CloudTrail AWS path

You may need to fill in 2 parameters when creating the bucket - {BUCKET_NAME} and {PREFIX}. You can find them in your CloudTrail AWS path. The AWS path structure for CloudTrail looks like the examle below:

  • {BUCKET_NAME} is your S3 bucket name.

  • {PREFIX} is your CloudTrail path. You may or may not have a prefix.

    If you don’t have a prefix, put down:


    If you do have a prefix, put down:

    {PREFIX}/cloudtrail/AWSLogs/{AWS_ACCOUNT_ID}/CloudTrail/ fetches logs that are generated after configuring an S3 bucket. cannot fetch past logs retroactively.

Check for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don’t see your logs, see log shipping troubleshooting.