content/en/docs/concepts/event-sources/plugins/cloudtrail.md
The Falco cloudtrail plugin can read AWS CloudTrail logs and emit events for each CloudTrail log entry.
This plug-in also includes out-of-the-box rules that can be used to identify interesting/suspicious/notable events in CloudTrail logs, including:
See the README for information on how to configure the plugin. The plugin initialization and open params strings/objects can be added to falco.yaml under the plugins configuration key.
The plugin can be configured to read log files from:
For more information on the open params syntax, see open params.
In order to use the AWS CloudTrail plugin, you must enable CloudTrail logging for the account(s) you want to monitor. This must be done before using the plugin.
In addition, of the three options above, using an SQS queue provides the easiest-to-consume source of logs. With the SQS queue, the plugin can detect when the new log files are written and can automatically consume them.
However, this also requires creating multiple AWS cloud resources, such as SQS queues, SNS topics/subscriptions, IAM policy documents, etc., outside of Falco, which involve multiple manual steps.
To make this process easier, we've created a Terraform module that automatically creates these resources.