As organizations continue moving workloads to AWS, maintaining visibility into cloud activity has become a critical security requirement.

Every configuration change, API call, user login, and resource modification can have security implications.

Without proper monitoring, suspicious or unauthorized actions may go undetected until significant damage has already occurred.

What AWS CloudTrail Is and Why It Matters

AWS CloudTrail is AWS’s native auditing and logging service that records activity across your AWS environment.

It captures API calls made through the AWS Management Console, AWS CLI, SDKs, and AWS services, creating a detailed audit trail of who performed an action, when it occurred, and what resources were affected.

CloudTrail logs management events by default and can also capture data events and Insights events for deeper visibility.

Why Monitoring CloudTrail Logs Is Critical for Cloud Security

CloudTrail generates a massive amount of valuable security telemetry.

These logs can reveal:

• Unauthorized IAM user creation
• Privilege escalation attempts
• Changes to security groups and firewall rules
• Root account usage
• Suspicious API activity
• Data access events involving sensitive resources
• Failed authentication attempts

Security teams rely on CloudTrail logs to detect threats, investigate incidents, and demonstrate compliance with security frameworks such as PCI DSS, HIPAA, SOC 2, and ISO 27001.

AWS specifically recommends maintaining ongoing CloudTrail records because the default Event History only retains management events for 90 days.

Benefits of Integrating AWS CloudTrail with Wazuh

While CloudTrail provides excellent visibility into AWS activity, it is primarily a logging service.

Wazuh enhances CloudTrail monitoring by adding:

• Centralized log analysis
• Real-time alerting
• Threat detection rules
• Correlation with endpoint and server events
• Security dashboards and visualizations
• Compliance monitoring
• Automated incident response workflows

By forwarding CloudTrail logs into Wazuh, organizations can correlate cloud activity with events from Windows servers, Linux systems, containers, and network devices, creating a more complete security monitoring solution.

For organizations already using Wazuh for host-based monitoring, integrating CloudTrail provides cloud-layer visibility without requiring a separate SIEM platform.

What You’ll Learn in This Guide

In this tutorial, you’ll learn:

• How AWS CloudTrail logging works
• Which CloudTrail events are most important for security monitoring
• How to configure CloudTrail for log collection
• How to send CloudTrail logs to Wazuh
• How to create detection rules for suspicious AWS activity
• How to monitor IAM changes, root account activity, and S3 access events
• Best practices for AWS security monitoring with Wazuh

By the end of this guide, you’ll have a centralized monitoring solution capable of detecting and alerting on high-risk AWS events in near real time.

What Is AWS CloudTrail?

AWS CloudTrail is a service that records actions performed across your AWS environment.

Every API call, console action, or service-generated event can be captured and stored for auditing, security monitoring, troubleshooting, and compliance purposes.

Think of CloudTrail as the activity log for your AWS account.

Whenever someone creates an IAM user, modifies a security group, deletes an S3 bucket, or logs in using the AWS console, CloudTrail can record the event and make it available for analysis.

For security teams, CloudTrail is often one of the most important data sources because it provides visibility into who performed an action and exactly what changed within the cloud environment.

Understanding CloudTrail Event Logging

CloudTrail records several categories of events, each serving a different purpose for monitoring and auditing.

AWS currently classifies CloudTrail events into management events, data events, and Insights events.

Management Events

Management events (sometimes called control-plane events) track administrative operations performed on AWS resources.

Examples include:

• Creating IAM users
• Attaching IAM policies
• Creating VPCs and subnets
• Modifying security groups
• Updating CloudTrail configurations
• Console login events

These events are enabled by default and represent the most commonly monitored security activities.

Data Events

Data events capture activity occurring within AWS resources themselves rather than administrative configuration changes.

Examples include:

• S3 object uploads and downloads
• S3 object deletions
• Lambda function invocations
• DynamoDB table operations
• SNS publish actions

Because data events can generate very large volumes of logs, they are not enabled by default and must be configured separately.

Insights Events

CloudTrail Insights uses behavioral analysis to identify unusual API activity.

Examples include:

• Sudden spikes in API calls
• Abnormally high error rates
• Unexpected administrative activity
• Large increases in resource modification requests

CloudTrail establishes a baseline of normal activity and generates Insight events when behavior deviates significantly from expected patterns.

Expert Insight: AWS states that CloudTrail Insights continuously analyzes management events and can generate alerts when API call volumes or error rates exceed normal baselines, helping security teams identify potentially malicious activity faster.

Common Security Events Recorded by CloudTrail

When integrating CloudTrail with Wazuh, several event types deserve special attention because they frequently indicate security incidents or unauthorized changes.

IAM User Creation

Attackers often create new IAM users after gaining access to an AWS account to establish persistence.

Important events include:

• CreateUser
• CreateAccessKey
• AttachUserPolicy
• PutUserPolicy

Monitoring these events can help identify unauthorized account creation before attackers expand their access.

Policy Changes

Changes to IAM policies and permissions can indicate privilege escalation attempts.

Examples include:

• AttachRolePolicy
• PutRolePolicy
• AttachUserPolicy
• CreatePolicyVersion

These events are high-priority candidates for Wazuh alerting rules.

Root Account Activity

Root account usage should be extremely rare in production environments.

CloudTrail can record:

• Root console logins
• Resource modifications performed by the root user
• Billing-related actions
• Security configuration changes

Many security teams treat any root account activity as a critical alert.

Failed Login Attempts

CloudTrail records AWS console login events, including authentication failures.

Repeated failed login attempts may indicate:

• Password spraying
• Credential stuffing attacks
• Brute-force attempts
• Unauthorized access attempts

These events can be correlated within Wazuh to identify attack patterns.

S3 Bucket Modifications

S3 buckets often contain sensitive business data, making them a common target.

Important events include:

• CreateBucket
• DeleteBucket
• PutBucketPolicy
• PutBucketAcl
• DeleteObject
• PutObject

Monitoring S3 changes can help detect accidental exposure or malicious data access. Data events must be enabled to capture many object-level actions.

Why CloudTrail Monitoring Is Essential

CloudTrail logs become significantly more valuable when they are actively monitored rather than simply stored.

Security Visibility

CloudTrail provides a detailed audit trail of activities occurring across your AWS environment.

Security teams gain visibility into:

• User actions
• Administrative changes
• Resource creation
• Access attempts
• Permission modifications

This visibility is often the first line of defense against cloud-based attacks.

Incident Response

When a security incident occurs, CloudTrail logs help answer critical questions:

• Who performed the action?
• When did it happen?
• Which resources were affected?
• What changes were made?
• Was sensitive data accessed?

These answers can significantly reduce investigation time and improve response effectiveness.

Compliance Requirements

Many compliance frameworks require organizations to maintain audit logs and monitor access to critical systems.

CloudTrail helps support requirements for:

• PCI DSS
• HIPAA
• SOC 2
• ISO 27001
• NIST Cybersecurity Framework

By integrating CloudTrail with Wazuh, organizations can centralize compliance monitoring and reporting.

Forensic Investigations

CloudTrail logs provide historical evidence during security investigations.

AWS emphasizes that CloudTrail creates searchable records of account activity and provides mechanisms for long-term log retention, making it an important source of forensic evidence.

When combined with Wazuh’s correlation engine and alerting capabilities, CloudTrail data becomes significantly more actionable, allowing security teams to detect, investigate, and respond to suspicious AWS activity from a single platform.

Additional Resources:

How to Configure File Integrity Monitoring (FIM) in Wazuh
 Wazuh vs Splunk
Security Onion vs Wazuh

Why Use Wazuh to Monitor AWS CloudTrail?

AWS CloudTrail provides detailed logs of activity across your AWS environment, but raw logs alone are not enough for effective threat detection.

Security teams need a platform that can analyze events, identify suspicious behavior, correlate related activities, and generate actionable alerts.

This is where Wazuh adds significant value.

By integrating CloudTrail with Wazuh, organizations gain a centralized cloud security monitoring solution capable of detecting threats, supporting compliance initiatives, and accelerating incident response.

Centralized Security Monitoring

Modern environments often consist of:

• AWS workloads
• Windows servers
• Linux systems
• Containers
• Network devices
• Cloud applications

Without a centralized platform, security teams must review multiple dashboards and logging systems to investigate incidents.

Wazuh consolidates CloudTrail events alongside logs from endpoints, applications, and infrastructure components into a single interface. This unified view makes it easier to identify security issues that span multiple systems.

For example, Wazuh can correlate:

• An AWS IAM policy change
• A suspicious login on a Linux server
• Malware detection on an endpoint
• Unexpected network activity

Having all security telemetry in one place reduces investigation time and improves visibility across the entire environment.

Real-Time Threat Detection

CloudTrail records critical AWS activities, but organizations often need immediate notification when suspicious actions occur.

Wazuh continuously analyzes incoming CloudTrail events and can generate alerts for:

• Root account usage
• Unauthorized IAM user creation
• Privilege escalation attempts
• Security group modifications
• S3 bucket permission changes
• Failed authentication attempts
• Access key creation

Unlike manual log review, real-time detection enables security teams to respond before an attacker can establish persistence or move laterally within the environment.

Expert Insight: The AWS Security Blog consistently recommends monitoring high-risk IAM and root-account activities because these events are commonly associated with account compromise and privilege abuse scenarios.

Compliance Reporting

Many regulatory frameworks require organizations to collect, retain, and monitor audit logs.

Examples include:

• PCI DSS
• HIPAA
• SOC 2
• ISO 27001
• NIST 800-53
• CIS AWS Foundations Benchmark

CloudTrail serves as a primary audit source for AWS activity, while Wazuh helps organizations:

• Retain security logs
• Search historical events
• Generate compliance reports
• Demonstrate monitoring controls
• Produce audit evidence

According to the Center for Internet Security (CIS) AWS Foundations Benchmark, organizations should monitor CloudTrail activity and generate alerts for unauthorized changes to logging configurations and IAM resources.

Automated Alerting and Correlation

One of Wazuh’s strongest capabilities is event correlation.

Rather than treating every CloudTrail log entry as an isolated event, Wazuh can identify relationships between activities occurring across multiple systems.

For example, Wazuh can detect a sequence such as:

1. Failed AWS console logins
2. Successful authentication
3. Creation of a new IAM user
4. Creation of access keys
5. Policy attachment granting administrator privileges

Individually, these events may appear harmless. Together, they can indicate a compromised AWS account.

Wazuh can automatically:

• Generate alerts
• Escalate severity levels
• Trigger active responses
• Notify security teams
• Create investigation timelines

How to Create Custom Detection Rules in Wazuh (With Examples)

Cloud Security Monitoring at No Additional Licensing Cost

Many cloud security monitoring platforms charge based on:

• Number of cloud accounts
• Volume of ingested logs
• Data retention requirements
• Number of monitored assets

Because Wazuh is open source, organizations can monitor CloudTrail activity without paying per-event or per-user licensing fees.

This makes Wazuh particularly attractive for:

• Small businesses
• Startups
• Educational institutions
• Managed service providers
• Security teams with limited budgets

Organizations can achieve SIEM and cloud security monitoring capabilities while maintaining control over infrastructure and storage costs.

How the Wazuh and CloudTrail Integration Works

Before configuring the integration, it is important to understand how CloudTrail logs move from AWS into Wazuh and how they are analyzed.

At a high level, AWS CloudTrail records activity within your AWS account, stores the logs in Amazon S3, and Wazuh retrieves those logs for security analysis.

Integration Architecture Overview

A typical deployment includes the following components:

AWS CloudTrail

CloudTrail captures AWS API activity and account events.

Examples include:

• Console logins
• IAM changes
• Security group modifications
• S3 bucket access
• Resource creation and deletion

These events become the primary data source for monitoring AWS security activity.

Amazon S3 Bucket

CloudTrail stores generated log files inside an Amazon S3 bucket.

The bucket serves as a centralized repository containing:

• Management events
• Data events
• Insights events

Wazuh reads CloudTrail logs directly from this location.

Wazuh Manager

The Wazuh Manager is responsible for:

• Retrieving CloudTrail logs
• Decoding event data
• Applying detection rules
• Generating alerts
• Correlating events

Most of the security analysis occurs here.

Wazuh Indexer

The Wazuh Indexer stores processed security events and alerts.

This allows teams to:

• Search historical activity
• Investigate incidents
• Build dashboards
• Generate reports

Wazuh Dashboard

The Wazuh Dashboard provides visualization and investigation capabilities.

Security analysts can:

• Review CloudTrail events
• Search AWS activity
• Analyze alerts
• Create reports
• Monitor ongoing incidents

Data Flow Explained

The CloudTrail-to-Wazuh integration follows a straightforward workflow.

1. CloudTrail Generates Logs

When activity occurs in AWS, CloudTrail records the event.

Examples include:

• CreateUser
• ConsoleLogin
• AttachUserPolicy
• CreateAccessKey
• PutBucketPolicy

Each action generates a detailed event record containing:

• Timestamp
• User identity
• Source IP address
• AWS service
• API action
• Result status

2. Logs Are Stored in S3

CloudTrail continuously delivers log files to a configured Amazon S3 bucket.

AWS encrypts and stores these logs for long-term retention and auditing purposes.

Depending on configuration, the bucket may contain:

• Management events
• Data events
• Insights events

3. Wazuh Retrieves CloudTrail Events

The Wazuh AWS integration periodically connects to the S3 bucket and downloads newly available CloudTrail log files.

This process is automated and requires:

• AWS credentials
• Appropriate IAM permissions
• Access to the target S3 bucket

Wazuh ensures that newly generated CloudTrail logs are continuously ingested for analysis.

4. Events Are Decoded and Analyzed

After retrieving the logs, Wazuh:

• Parses JSON event data
• Extracts relevant fields
• Applies built-in decoders
• Matches detection rules
• Correlates related events

Examples of analyzed fields include:

• eventName
• eventSource
• sourceIPAddress
• userIdentity
• awsRegion
• errorCode

This normalization process allows Wazuh to consistently evaluate CloudTrail activity.

5. Security Alerts Are Generated

When Wazuh identifies suspicious activity, it generates alerts based on rule severity.

Examples include:

• Root account usage
• Unauthorized IAM modifications
• Excessive authentication failures
• Sensitive policy changes
• Unexpected resource creation

These alerts appear in the Wazuh Dashboard and can also be forwarded to external notification systems.

The result is a centralized security monitoring workflow that transforms raw AWS audit logs into actionable security intelligence.

Prerequisites

Before configuring the integration, ensure both your AWS environment and Wazuh deployment meet the necessary requirements.

AWS Requirements

AWS Account

You must have an active AWS account with administrative privileges or sufficient permissions to configure CloudTrail, S3, and IAM resources.

CloudTrail Enabled

CloudTrail must be enabled and actively collecting events.

For security monitoring purposes, AWS recommends enabling:

• Management events
• Data events where applicable
• Multi-region logging

Capturing events across all AWS regions helps prevent blind spots during investigations.

S3 Bucket Configured

CloudTrail requires an Amazon S3 bucket for log storage.

The bucket should:

• Receive CloudTrail logs
• Allow Wazuh access
• Retain logs according to organizational requirements
• Be protected with appropriate access controls

IAM Permissions

A dedicated IAM user or IAM role should be created for Wazuh.

Following the principle of least privilege reduces the risk associated with credential compromise.

Expert Insight: AWS security best practices recommend granting only the minimum permissions necessary for log collection and monitoring services.

Wazuh Requirements

Wazuh Manager Installed

You must have a functioning Wazuh Manager deployment.

Supported deployment methods include:

• Single-node installations
• Distributed deployments
• Cloud-hosted environments

If you have not yet deployed Wazuh agents across your infrastructure, consider reviewing:

How to Install a Wazuh Agent on Windows Server

Administrative Access

Administrative or root-level access to the Wazuh Manager is required because configuration files must be modified during the integration process.

You’ll need the ability to:

• Edit configuration files
• Restart Wazuh services
• Verify integration status
• Review logs

Internet Connectivity to AWS Services

The Wazuh Manager must be able to communicate with AWS services, including:

• Amazon S3
• AWS CloudTrail APIs
• AWS STS (if using roles)

Firewall rules and network policies should allow outbound connectivity to the required AWS endpoints.

Required AWS IAM Permissions

The account or role used by Wazuh needs permission to retrieve CloudTrail logs from AWS.

S3 Read Access

At a minimum, Wazuh requires permission to:

• List bucket contents
• Read CloudTrail log files
• Access bucket metadata

Typical permissions include:

s3:GetObject
s3:ListBucket

CloudTrail Access Permissions

Depending on your deployment method, additional CloudTrail permissions may be required.

Common permissions include:

cloudtrail:DescribeTrails
cloudtrail:GetTrailStatus
cloudtrail:LookupEvents

These permissions allow Wazuh to identify CloudTrail resources and retrieve relevant event information when necessary.

In the next section, we’ll configure AWS CloudTrail and the S3 bucket that Wazuh will use to collect and analyze security events from your AWS environment.

Step 1: Enable AWS CloudTrail

Before Wazuh can monitor AWS activity, CloudTrail must be configured to collect and store audit logs.

If CloudTrail is not already enabled, you’ll need to create a trail and configure it to capture the events relevant to your security monitoring objectives.

Creating a New Trail

1. Sign in to the AWS Management Console.
2. Navigate to CloudTrail.
3. Select Trails from the left navigation menu.
4. Click Create trail.
5. Enter a descriptive trail name such as:

wazuh-cloudtrail-monitoring

6. Choose whether the trail will apply to:
   • A single AWS account
   • An AWS Organization

For most deployments, an account-level trail is sufficient.

Configuring Trail Settings

AWS provides several important options when creating a trail.

Properly configuring these settings ensures Wazuh receives complete and accurate security telemetry.

Multi-Region Logging

Enable:

Apply trail to all regions

This ensures CloudTrail records activity across every AWS region rather than only the current region.

Without multi-region logging, attackers could perform actions in another region without generating logs in your primary monitoring region.

AWS recommends enabling multi-region trails as a security best practice.

Management Events

Management events capture administrative actions performed against AWS resources.

Enable:

Management events

These events include:

• IAM user creation
• IAM policy modifications
• Security group changes
• VPC changes
• Console login activity
• CloudTrail configuration changes

For most organizations, management events represent the highest-value security data source.

Data Events

Data events provide visibility into activity occurring within AWS services.

Common examples include:

• S3 object access
• S3 object deletion
• Lambda function execution
• DynamoDB operations

Because data events can generate large log volumes, AWS does not enable them by default.

For security monitoring, consider enabling data events for:

• Sensitive S3 buckets
• Production workloads
• Regulated environments

Log File Validation

Enable:

Log file validation

This feature allows AWS to verify that CloudTrail log files have not been altered after delivery.

Benefits include:

• Improved forensic integrity
• Tamper detection
• Compliance support
• Stronger audit evidence

AWS recommends enabling validation whenever CloudTrail logs are used for security investigations.

Sending Logs to an S3 Bucket

CloudTrail stores log files inside an Amazon S3 bucket.

During trail creation:

1. Select Create new S3 bucket or choose an existing bucket.
2. Provide a bucket name such as:

company-cloudtrail-logs

3. Review bucket permissions.
4. Complete trail creation.

After creation, CloudTrail will automatically begin delivering logs to the selected S3 bucket.

Verifying CloudTrail Is Collecting Events

After enabling the trail:

1. Navigate to CloudTrail → Event history.
2. Perform a simple AWS action such as:
   • Viewing an EC2 instance
   • Listing IAM users
   • Opening an S3 bucket
3. Refresh Event History.

You should see newly generated events appear within a few minutes.

Common events include:

ConsoleLogin
DescribeInstances
ListUsers
GetBucketLocation

Once events appear in Event History, CloudTrail is functioning correctly and logs should begin flowing into your S3 bucket.

Expert Insight: AWS notes that management events are typically delivered to CloudTrail logs within minutes, making them suitable for near real-time security monitoring and alerting.

Step 2: Create an IAM User for Wazuh

Wazuh requires AWS credentials to retrieve CloudTrail logs from the S3 bucket.

Rather than using administrative credentials, AWS security best practices recommend creating a dedicated IAM identity with only the permissions necessary for log collection.

Why a Dedicated IAM User Is Recommended

Using a dedicated IAM user or IAM role provides several security benefits:

• Limits potential damage if credentials are compromised
• Simplifies auditing
• Follows least-privilege principles
• Prevents accidental administrative access
• Makes credential rotation easier

Many organizations create a dedicated service account specifically for security monitoring tools.

Example:

wazuh-cloudtrail-reader

Create Programmatic Access Credentials

1. Navigate to IAM → Users.
2. Click Create User.
3. Enter:

wazuh-cloudtrail-reader

4. Do not grant console access.
5. Create the user.

After creation:

1. Open the user.
2. Navigate to Security credentials.
3. Create an Access Key.

These credentials will later be configured on the Wazuh Manager.

Assign Required Permissions

The IAM user needs permission to read CloudTrail log files from the S3 bucket.

At minimum, grant:

s3:GetObject
s3:ListBucket

For tighter security, restrict access to the specific CloudTrail bucket rather than allowing access to all buckets.

Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::company-cloudtrail-logs",
        "arn:aws:s3:::company-cloudtrail-logs/*"
      ]
    }
  ]
}

This follows AWS’s least-privilege model and reduces exposure.

Example IAM Policy for CloudTrail Monitoring

For testing environments, you may choose a broader policy such as:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": "*"
    }
  ]
}

For production deployments, restrict permissions to the specific CloudTrail bucket whenever possible.

Generate Access Key and Secret Key

After assigning permissions:

1. Open the IAM user.
2. Select Security Credentials.
3. Click Create Access Key.
4. Choose:

Application running outside AWS

AWS will generate:

Access Key ID
Secret Access Key

Download the credentials file or store the values securely.

⚠️ The Secret Access Key is displayed only once. If it is lost, a new key pair must be generated.

Step 3: Configure AWS Credentials on the Wazuh Server

Once the IAM user has been created, configure its credentials on the Wazuh Manager so it can access CloudTrail logs stored in Amazon S3.

Securely Store AWS Credentials

Log in to the Wazuh Manager server and create an AWS credentials file.

Example:

mkdir -p ~/.aws
nano ~/.aws/credentials

Add the generated credentials:

[default]
aws_access_key_id = AKIAXXXXXXXXXXXXX
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Save the file.

Restrict file permissions:

chmod 600 ~/.aws/credentials

Verify permissions:

ls -l ~/.aws/credentials

Expected output:

-rw------- 1 root root

This prevents unauthorized users from reading the credentials.

Verify AWS Connectivity

Install the AWS CLI if it is not already available.

Ubuntu / Debian

sudo apt update
sudo apt install awscli

RHEL / Rocky / CentOS

sudo dnf install awscli

Verify authentication:

aws sts get-caller-identity

Successful output should resemble:

{
  "UserId": "AIDAXXXXXXXXX",
  "Account": "123456789012",
  "Arn": "arn:aws:iam::123456789012:user/wazuh-cloudtrail-reader"
}

Next, verify access to the CloudTrail bucket:

aws s3 ls s3://company-cloudtrail-logs

If the bucket contents are displayed successfully, Wazuh should be able to retrieve CloudTrail log files.

Security Best Practices for Credential Management

When configuring AWS access for Wazuh, follow these security recommendations:

Rotate Credentials Regularly

Rotate access keys periodically to reduce risk if credentials are exposed.

AWS generally recommends avoiding long-lived credentials whenever possible.

Limit Permissions

Only grant permissions required for log collection.

Avoid attaching:

AdministratorAccess
PowerUserAccess

to monitoring accounts.

Restrict Bucket Access

Use resource-level permissions whenever possible.

Instead of:

"Resource": "*"

Use:

"Resource": [
  "arn:aws:s3:::company-cloudtrail-logs",
  "arn:aws:s3:::company-cloudtrail-logs/*"
]

Monitor Credential Usage

CloudTrail can log IAM credential activity, allowing you to detect:

• Unexpected access patterns
• Credential misuse
• Unauthorized API calls

This creates a useful feedback loop where CloudTrail helps monitor the very credentials used to access its logs.

How to Create Custom Detection Rules in Wazuh (With Examples)

 How to Integrate Wazuh with VirusTotal for Threat Intelligence

In the next section, we’ll configure the Wazuh AWS integration to automatically retrieve CloudTrail logs from Amazon S3 and begin generating security alerts.

Step 4: Configure the Wazuh AWS Module

With CloudTrail generating logs and AWS credentials configured on the Wazuh server, the next step is to configure Wazuh’s AWS integration module.

This module periodically retrieves CloudTrail log files from Amazon S3, processes the events, and generates security alerts.

Once configured, Wazuh can automatically monitor AWS activity without requiring manual log imports.

Understanding the AWS Integration Module

Wazuh includes a built-in AWS integration module called aws-s3.

The module is designed to:

• Connect to Amazon S3
• Download CloudTrail log files
• Parse AWS event data
• Apply built-in detection rules
• Generate security alerts
• Store events for investigation and reporting

Supported AWS log sources include:

• CloudTrail
• GuardDuty
• VPC Flow Logs
• Security Hub
• Inspector
• Config

For this tutorial, we’ll focus specifically on CloudTrail log collection.

Edit the Wazuh Configuration File

The AWS integration is configured inside the Wazuh Manager configuration file.

Open the file:

sudo nano /var/ossec/etc/ossec.conf

Locate the existing AWS configuration section or add the following configuration before the closing </ossec_config> tag.

Example Configuration

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>

  <bucket type="cloudtrail">
    <name>your-cloudtrail-bucket</name>
  </bucket>
</wodle>

Replace:

your-cloudtrail-bucket

with your actual CloudTrail S3 bucket name.

Example:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>

  <bucket type="cloudtrail">
    <name>company-cloudtrail-logs</name>
  </bucket>
</wodle>

This configuration instructs Wazuh to retrieve CloudTrail logs every ten minutes.

Configure Scan Intervals

The <interval> setting controls how frequently Wazuh checks the S3 bucket for new log files.

Example:

<interval>10m</interval>

Common values include:

Example:

<interval>5m</interval>

Shorter intervals provide faster detection but generate additional API requests and processing overhead.

Most organizations find that 5–10 minutes provides a good balance between visibility and efficiency.

Configure Multiple CloudTrail Buckets (Optional)

Organizations often use multiple AWS accounts or separate CloudTrail buckets for different environments.

Wazuh can monitor multiple buckets simultaneously.

Example:

<wodle name="aws-s3">
  <disabled>no</disabled>

  <bucket type="cloudtrail">
    <name>production-cloudtrail</name>
  </bucket>

  <bucket type="cloudtrail">
    <name>development-cloudtrail</name>
  </bucket>

  <bucket type="cloudtrail">
    <name>security-cloudtrail</name>
  </bucket>
</wodle>

This configuration allows a single Wazuh Manager to collect CloudTrail logs from multiple AWS environments.

For larger deployments, consider separating production and development accounts to simplify investigations and compliance reporting.

Step 5: Restart and Verify the Integration

After updating the configuration, restart Wazuh and verify that the AWS integration module is functioning correctly.

Restart the Wazuh Manager

Apply the configuration changes by restarting the Wazuh Manager service.

On most Linux distributions:

sudo systemctl restart wazuh-manager

Verify service status:

sudo systemctl status wazuh-manager

Expected output should indicate:

active (running)

If the service fails to start, review the configuration file for XML syntax errors.

Confirm Module Startup

After restarting Wazuh, verify that the AWS module loaded successfully.

Search the Wazuh log file:

sudo grep aws-s3 /var/ossec/logs/ossec.log

Successful startup messages should resemble:

Starting AWS S3 module
Starting S3 Bucket Analysis
CloudTrail integration initialized

The exact messages may vary depending on your Wazuh version.

These entries confirm that Wazuh has loaded the AWS integration and is attempting to connect to Amazon S3.

Check Wazuh Logs for Errors

If CloudTrail events are not appearing, examine the log file for errors.

Useful command:

sudo tail -f /var/ossec/logs/ossec.log

Common issues include:

Invalid AWS Credentials

Example:

AccessDenied
InvalidAccessKeyId
SignatureDoesNotMatch

Solution:

• Verify Access Key ID
• Verify Secret Access Key
• Confirm credential file formatting

Bucket Access Denied

Example:

AccessDenied
Unable to list bucket contents

Solution:

• Verify IAM permissions
• Confirm bucket policy
• Check resource restrictions

Bucket Not Found

Example:

NoSuchBucket

Solution:

• Verify bucket name spelling
• Confirm bucket region
• Check CloudTrail configuration

Validate CloudTrail Log Collection

The final verification step is confirming that CloudTrail events are being ingested.

Search recent Wazuh alerts:

sudo grep cloudtrail /var/ossec/logs/alerts/alerts.json

Or search the archive logs:

sudo grep cloudtrail /var/ossec/logs/archives/archives.json

If events are present, the integration is functioning correctly.

You should begin seeing AWS activity such as:

• Console logins
• IAM changes
• S3 access events
• Resource modifications

These events will also become visible in the Wazuh Dashboard.

Step 6: View CloudTrail Events in the Wazuh Dashboard

Once CloudTrail logs are successfully collected, you can begin analyzing AWS activity through the Wazuh Dashboard.

The dashboard provides powerful search, filtering, and visualization capabilities that make investigating cloud security events significantly easier.

Navigating to Security Events

Open the Wazuh Dashboard and navigate to:

Threat Hunting → Events

or

Security Events

depending on your Wazuh version.

Here you’ll find:

• CloudTrail events
• Agent alerts
• Authentication events
• File integrity alerts
• Network security events

All collected security telemetry is centralized in one interface.

How to Configure File Integrity Monitoring (FIM) in Wazuh

Filtering CloudTrail Logs

To focus specifically on AWS events, use the search bar.

Example searches:

aws

cloudtrail

data.aws.source: cloudtrail

You can also filter by:

• Event type
• Severity
• AWS account
• Region
• Username
• Service

This makes it easier to isolate relevant activity during investigations.

Searching by AWS Service

CloudTrail records activity across many AWS services.

Examples include:

IAM Activity

eventSource: iam.amazonaws.com

EC2 Activity

eventSource: ec2.amazonaws.com

S3 Activity

eventSource: s3.amazonaws.com

VPC Activity

eventSource: ec2.amazonaws.com

Filtering by service allows analysts to quickly investigate changes affecting specific AWS resources.

Investigating User Activity

CloudTrail records the identity responsible for every action.

Useful searches include:

userIdentity.userName: admin

userIdentity.type: Root

eventName: ConsoleLogin

These searches help answer questions such as:

• Who created an IAM user?
• Who changed a security group?
• Who modified a bucket policy?
• Who logged in as root?

This information is critical during incident response and forensic investigations.

Building Custom Dashboards

Wazuh allows you to create dashboards focused on AWS security monitoring.

Popular dashboard widgets include:

• Failed login attempts
• Root account activity
• IAM modifications
• S3 bucket changes
• Geographic login sources
• Security group changes
• CloudTrail event volume

Custom dashboards help security teams monitor cloud activity without manually running searches.

Understanding CloudTrail Alerts Generated by Wazuh

Wazuh includes built-in rules capable of identifying potentially suspicious AWS activity.

These alerts help prioritize events that warrant investigation.

Authentication Events

Authentication-related activity is often the first indicator of account compromise.

Console Logins

Important events include:

ConsoleLogin

Analysts should review:

• Login location
• Source IP address
• Time of access
• User identity

Unexpected logins may indicate unauthorized access.

Failed Authentication Attempts

Repeated login failures can indicate:

• Brute-force attacks
• Password spraying
• Credential stuffing

Multiple failures followed by a successful login should be treated as a high-priority investigation.

Root Account Access

Root account activity is generally rare and should generate immediate alerts.

Monitor for:

userIdentity.type: Root

Security teams often configure high-severity alerts for all root account activity.

IAM Changes

IAM modifications frequently appear during privilege escalation attacks.

User Creation

Examples:

CreateUser
CreateAccessKey

These events may indicate persistence attempts.

Role Modifications

Examples:

AttachRolePolicy
PutRolePolicy
UpdateAssumeRolePolicy

Review all unexpected role changes carefully.

Permission Changes

Examples:

AttachUserPolicy
CreatePolicyVersion
SetDefaultPolicyVersion

Attackers commonly abuse IAM permissions to gain elevated access.

S3 Security Events

S3 buckets often contain sensitive business and customer data.

Bucket Policy Changes

Examples:

PutBucketPolicy
DeleteBucketPolicy

Misconfigured policies can expose sensitive information publicly.

Public Access Modifications

Examples:

PutBucketAcl
PutPublicAccessBlock

Investigate any changes that could make data publicly accessible.

Object Deletions

Examples:

DeleteObject
DeleteObjects

Unexpected deletions may indicate malicious activity, ransomware preparation, or insider threats.

Network and Infrastructure Changes

CloudTrail also records infrastructure-level modifications that may impact security posture.

Security Group Modifications

Examples:

AuthorizeSecurityGroupIngress
RevokeSecurityGroupIngress

These events can expose systems to the internet if not properly controlled.

VPC Changes

Examples:

CreateVpc
DeleteVpc
ModifyVpcAttribute

Unexpected VPC modifications should be investigated immediately.

Route Table Updates

Examples:

CreateRoute
ReplaceRoute
DeleteRoute

Attackers may modify routing configurations to redirect or intercept traffic.

By monitoring these CloudTrail events with Wazuh, organizations gain continuous visibility into AWS activity and can rapidly detect threats, compliance violations, and unauthorized changes across their cloud environment.

Creating Custom Wazuh Rules for CloudTrail Events

While Wazuh includes numerous built-in detection rules for AWS logs, every organization has unique security requirements.

Creating custom rules allows you to identify activities that are particularly important within your environment and prioritize alerts accordingly.

Custom rules are especially valuable when monitoring high-risk AWS actions such as root account usage, IAM changes, and network configuration modifications.

Why Custom Rules Are Useful

Built-in detection rules provide a solid foundation, but they may not cover:

• Organization-specific security policies
• Critical AWS resources
• Sensitive IAM roles
• High-value S3 buckets
• Custom compliance requirements
• Internal security procedures

Custom rules allow you to:

• Increase alert severity for critical events
• Reduce false positives
• Detect unusual behavior specific to your environment
• Improve incident response workflows

For example, one organization may consider all IAM changes critical, while another may only care about administrator-level permission changes.

Example: Detect Root Account Usage

Root account activity is one of the most important AWS events to monitor.

Create a custom rule file:

sudo nano /var/ossec/etc/rules/local_rules.xml

Add a rule similar to:

<group name="aws,cloudtrail,">
  <rule id="100500" level="12">
    <field name="aws.userIdentity.type">Root</field>
    <description>AWS Root Account Activity Detected</description>
  </rule>
</group>

This rule generates a high-severity alert whenever the root account performs an action.

Recommended use cases:

• Root console logins
• Security policy changes
• IAM modifications
• Billing configuration changes

Because root account usage should be rare, many organizations treat these alerts as immediate investigation candidates.

Example: Detect New IAM User Creation

Attackers commonly create IAM users after compromising an AWS account.

The following rule detects user creation events:

<group name="aws,cloudtrail,">
  <rule id="100501" level="10">
    <field name="aws.eventName">CreateUser</field>
    <description>New AWS IAM User Created</description>
  </rule>
</group>

This alert can help identify:

• Unauthorized account creation
• Persistence attempts
• Insider threats
• Administrative policy violations

Organizations with strict change-management processes often configure these alerts at elevated severity levels.

Example: Detect Security Group Changes

Security groups control inbound and outbound traffic to AWS resources.

Unexpected changes can expose systems to the internet or weaken network security.

Example rule:

<group name="aws,cloudtrail,">
  <rule id="100502" level="9">
    <field name="aws.eventName">
      AuthorizeSecurityGroupIngress
    </field>
    <description>
      AWS Security Group Ingress Rule Modified
    </description>
  </rule>
</group>

This rule can help detect:

• Unauthorized firewall changes
• Exposure of administrative ports
• Unexpected network access
• Lateral movement preparation

Assigning Severity Levels

Wazuh uses severity levels ranging from 0 to 15.

A common approach is:

Example mappings:

The goal is to ensure analysts focus on the events most likely to indicate compromise.

Testing Custom Rules

After adding custom rules:

Validate the configuration:

sudo /var/ossec/bin/wazuh-logtest

Paste a sample CloudTrail event and verify that:

• The event is decoded correctly
• The rule triggers
• The expected severity level is assigned

Restart Wazuh after making changes:

sudo systemctl restart wazuh-manager

Then generate test activity in AWS and confirm alerts appear in the dashboard.

Detecting Common AWS Security Threats with Wazuh

CloudTrail logs contain valuable indicators of malicious activity.

When integrated with Wazuh, these logs can help identify many common cloud attack techniques and security misconfigurations.

Privilege Escalation Attempts

Privilege escalation occurs when a user or attacker obtains permissions beyond their intended access level.

Common CloudTrail events include:

AttachUserPolicy
AttachRolePolicy
CreatePolicyVersion
SetDefaultPolicyVersion

Indicators of compromise may include:

• Administrator permissions assigned unexpectedly
• Sudden role changes
• New privileged users
• Changes to IAM trust relationships

According to the AWS Security Blog, monitoring permission changes is one of the most effective methods for detecting AWS account abuse.

Unauthorized IAM Changes

IAM modifications are frequently observed during account compromise incidents.

Examples include:

• User creation
• User deletion
• Access key generation
• Policy changes
• Role modifications

Suspicious indicators include:

• Changes outside business hours
• Changes from unfamiliar IP addresses
• Administrative actions by non-administrative users

Wazuh can generate immediate alerts when these events occur.

Suspicious API Calls

CloudTrail records every AWS API call made within the environment.

Examples that may warrant investigation:

StopLogging
DeleteTrail
DeleteBucket
DeleteFlowLogs

These actions can indicate attempts to:

• Disable monitoring
• Destroy evidence
• Evade detection
• Disrupt operations

Security teams should treat monitoring-related configuration changes as high-priority alerts.

Root Account Activity

AWS strongly recommends limiting root account usage.

CloudTrail can record:

• Root logins
• Resource modifications
• IAM changes
• Billing updates

Potential indicators of compromise include:

• Root usage after long periods of inactivity
• Root access from unusual locations
• Root activity during non-business hours

Many organizations configure immediate notifications whenever root credentials are used.

Public S3 Bucket Exposure

Misconfigured S3 buckets remain one of the most common cloud security issues.

Relevant CloudTrail events include:

PutBucketPolicy
PutBucketAcl
DeletePublicAccessBlock

Potential risks include:

• Data leakage
• Regulatory violations
• Intellectual property exposure
• Customer data exposure

Wazuh can alert when bucket policies are modified or public access protections are removed.

Cloud Resource Tampering

Attackers frequently modify cloud infrastructure after gaining access.

Examples include:

• Security group changes
• Route table updates
• VPC modifications
• DNS changes
• CloudTrail configuration changes

Monitoring infrastructure modifications can help identify malicious activity before it escalates.

Credential Abuse

Compromised AWS credentials are commonly used to perform unauthorized actions.

Warning signs include:

• API activity from unfamiliar locations
• Unusual service usage
• Excessive failed logins
• Unexpected access key creation
• High volumes of API requests

Expert Insight: The 2024 Verizon Data Breach Investigations Report (DBIR) found that credential abuse continues to be one of the most common initial access vectors in security breaches, highlighting the importance of monitoring authentication and account activity.

Wazuh’s correlation engine can help identify credential misuse patterns by combining authentication events with IAM and CloudTrail activity.

Compliance Benefits of CloudTrail Monitoring

Beyond threat detection, CloudTrail monitoring plays a critical role in demonstrating compliance with regulatory and security frameworks.

Organizations that integrate CloudTrail with Wazuh gain centralized logging, audit trails, and reporting capabilities that simplify compliance audits.

PCI DSS Requirements

The Payment Card Industry Data Security Standard (PCI DSS) requires organizations to:

• Track user activities
• Monitor access to systems
• Retain audit logs
• Review security events

CloudTrail provides the audit records, while Wazuh assists with:

• Log retention
• Alerting
• Event correlation
• Reporting

CloudTrail monitoring supports several PCI DSS logging and monitoring requirements.

HIPAA Security Monitoring

Organizations handling protected health information (PHI) must implement safeguards to monitor access and system activity.

CloudTrail helps record:

• User access events
• Administrative actions
• Resource modifications
• Authentication activity

Wazuh enhances these capabilities through:

• Real-time alerting
• Centralized visibility
• Historical investigations
• Security reporting

These controls support HIPAA auditing and monitoring objectives.

SOC 2 Audit Logging

SOC 2 auditors commonly evaluate:

• Security monitoring controls
• Change tracking
• Access management
• Incident detection capabilities

CloudTrail provides detailed evidence of AWS activity, while Wazuh enables:

• Centralized analysis
• Searchable audit records
• Automated alerting
• Security dashboards

This combination simplifies audit preparation and evidence collection.

ISO 27001 Controls

ISO 27001 emphasizes:

• Event logging
• Monitoring
• Access control
• Incident management

CloudTrail contributes to several Annex A controls by maintaining records of AWS activity.

Wazuh helps organizations operationalize those controls through continuous monitoring and alert generation.

Organizations pursuing ISO 27001 certification often use centralized monitoring platforms to strengthen compliance programs.

CIS AWS Foundations Benchmark

The CIS AWS Foundations Benchmark contains numerous recommendations related to CloudTrail.

Examples include:

• Enable CloudTrail in all regions
• Protect CloudTrail logs
• Enable log file validation
• Monitor CloudTrail configuration changes
• Alert on unauthorized modifications

Wazuh can help organizations continuously monitor these recommendations and generate alerts when deviations occur.

By combining AWS CloudTrail and Wazuh, organizations not only improve their security posture but also create a strong foundation for compliance reporting, audit readiness, and regulatory accountability.

Best Practices for Monitoring AWS CloudTrail with Wazuh

Successfully integrating CloudTrail with Wazuh is only the first step.

To maximize security visibility and reduce the risk of missed threats, organizations should follow several best practices when configuring and maintaining their monitoring environment.

These recommendations help improve detection capabilities, simplify investigations, and support compliance requirements.

Enable Multi-Region Trails

One of the most important CloudTrail security recommendations is enabling multi-region logging.

If CloudTrail only records events in a single region, attackers may perform actions in another AWS region without generating logs in your primary monitoring environment.

Benefits of multi-region trails include:

• Complete AWS account visibility
• Improved threat detection
• Better forensic investigations
• Reduced monitoring blind spots
• Stronger compliance coverage

AWS specifically recommends enabling organization-wide, multi-region trails whenever possible.

Monitor Root Account Activity Closely

The AWS root account has unrestricted access to all AWS resources.

Because root account usage should be extremely rare, every root account action should be investigated.

Examples include:

• Root console logins
• Security configuration changes
• IAM modifications
• Billing updates
• Account setting changes

Consider creating:

• High-severity alerts
• Email notifications
• Escalation workflows

for all root account activity.

Use Least-Privilege IAM Permissions

The AWS credentials used by Wazuh should only have the permissions required to collect CloudTrail logs.

Avoid granting permissions such as:

AdministratorAccess
PowerUserAccess

Instead, limit access to:

s3:GetObject
s3:ListBucket

for the specific CloudTrail bucket.

Benefits include:

• Reduced attack surface
• Better security posture
• Easier compliance audits
• Lower risk if credentials are compromised

The principle of least privilege remains one of the most effective cloud security controls.

Retain Logs for Long-Term Investigations

Security incidents are not always detected immediately.

Many organizations discover breaches weeks or months after initial compromise.

Long-term CloudTrail retention allows security teams to:

• Investigate historical activity
• Trace attacker behavior
• Support forensic investigations
• Satisfy compliance requirements

Consider retaining logs for:

Longer retention periods significantly improve incident response capabilities.

Configure Alert Notifications

Generating alerts is only useful if security teams receive them quickly.

Consider integrating Wazuh with:

• Email notifications
• Slack
• Microsoft Teams
• Webhooks
• Ticketing systems

High-priority events should trigger immediate notifications.

Examples include:

• Root account usage
• IAM administrator creation
• CloudTrail logging disabled
• Public S3 bucket exposure
• Security group modifications

Real-time notifications help reduce response times during active incidents.

Create Cloud-Specific Detection Rules

Default rules provide good coverage, but custom cloud-focused rules improve detection quality.

Examples include:

• Privilege escalation attempts
• IAM user creation
• Access key generation
• CloudTrail configuration changes
• Public bucket exposure
• Unusual API activity

Custom rules help align monitoring with organizational security policies.

 How to Create Custom Detection Rules in Wazuh (With Examples)

Regularly Review AWS Security Events

Even with automated alerting, periodic review of AWS activity remains important.

Recommended review activities include:

• IAM changes
• Security group modifications
• New AWS resources
• Failed login attempts
• Access key creation
• CloudTrail configuration updates

Regular reviews often uncover:

• Misconfigurations
• Excessive permissions
• Shadow IT resources
• Early signs of compromise

Organizations with mature security programs frequently perform weekly or monthly AWS activity reviews.

Troubleshooting Common Issues

Even properly configured environments occasionally encounter integration issues.

The following troubleshooting steps can help resolve the most common CloudTrail monitoring problems.

Wazuh Is Not Collecting CloudTrail Logs

Symptoms:

• No CloudTrail events appear in Wazuh
• Empty AWS dashboards
• No alerts generated

Verify:

1. CloudTrail is enabled
2. Logs are being delivered to S3
3. The bucket name is correct
4. AWS credentials are valid
5. The aws-s3 module is enabled

Useful command:

grep aws-s3 /var/ossec/logs/ossec.log

Look for startup or connection errors.

Access Denied Errors from AWS

Common error messages:

AccessDenied
403 Forbidden

Possible causes:

• Missing IAM permissions
• Incorrect bucket policy
• Resource restrictions
• Cross-account access issues

Verify that the IAM user can:

s3:GetObject
s3:ListBucket

for the CloudTrail bucket.

CloudTrail Logs Are Delayed

Many administrators expect logs to appear instantly.

In reality:

• CloudTrail must process events
• Logs must be delivered to S3
• Wazuh must retrieve and analyze them

Typical delays range from a few minutes to approximately 15 minutes depending on workload and configuration.

Reducing the Wazuh scan interval may improve collection frequency.

Missing Events in the Dashboard

If some events appear while others do not:

Verify:

• Data events are enabled
• The correct trail is being monitored
• Multiple AWS regions are covered
• CloudTrail Insights is configured properly

Remember that object-level S3 events require Data Events to be enabled explicitly.

AWS Credentials Authentication Failures

Common errors include:

InvalidAccessKeyId
SignatureDoesNotMatch
ExpiredToken

Troubleshooting steps:

1. Verify Access Key ID
2. Verify Secret Access Key
3. Confirm credentials file formatting
4. Test authentication using AWS CLI

Example:

aws sts get-caller-identity

If the AWS CLI cannot authenticate, Wazuh will also fail.

S3 Bucket Permission Problems

If Wazuh can authenticate but cannot retrieve logs:

Check:

• Bucket policy
• IAM policy
• Resource ARNs
• Bucket ownership
• Cross-account permissions

Useful test:

aws s3 ls s3://your-cloudtrail-bucket

Successful output confirms that the IAM account can access the bucket.

Frequently Asked Questions

Question: Does Wazuh support AWS CloudTrail monitoring natively?

Yes. Wazuh includes a built-in AWS integration module that can retrieve CloudTrail logs directly from Amazon S3 without requiring third-party software.

Question: Can Wazuh monitor multiple AWS accounts?

Yes.

Wazuh can monitor:

• Multiple AWS accounts
• Multiple CloudTrail buckets
• Multi-account AWS Organizations deployments

Many enterprises centralize CloudTrail logs from multiple accounts into a single monitoring environment.

Question: Does Wazuh require AWS CloudWatch for CloudTrail monitoring?

No.

Wazuh can collect CloudTrail logs directly from Amazon S3.

CloudWatch is optional and is not required for standard CloudTrail monitoring deployments.

Question: How Often Does Wazuh Collect CloudTrail Logs?

Collection frequency depends on the configured scan interval.

Common values include:

1m
5m
10m
30m

Most organizations use 5-10 minute intervals for security monitoring.

Question: Can I Create Alerts for Specific AWS API Calls?

Yes.

Custom Wazuh rules can generate alerts for virtually any CloudTrail event.

Examples include:

• CreateUser
• CreateAccessKey
• DeleteTrail
• PutBucketPolicy
• ConsoleLogin

This flexibility allows organizations to monitor activities most relevant to their security objectives.

Question: Is CloudTrail Monitoring Available in the Free Version of Wazuh?

Yes.

CloudTrail monitoring is available within the open-source version of Wazuh.

There are no additional licensing fees for collecting and analyzing CloudTrail logs.

This is one reason Wazuh is a popular alternative to commercial SIEM platforms.

Question: Can Wazuh Help Meet AWS Compliance Requirements?

Yes.

Wazuh can assist with:

• PCI DSS
• HIPAA
• SOC 2
• ISO 27001
• CIS AWS Foundations Benchmark

By combining CloudTrail audit logs with centralized monitoring, alerting, and reporting capabilities, Wazuh helps organizations demonstrate compliance controls more effectively.

Conclusion

Monitoring AWS CloudTrail with Wazuh provides organizations with a powerful and cost-effective way to improve cloud security visibility.

In this guide, we covered the complete integration process, including:

• Enabling AWS CloudTrail
• Configuring S3 log storage
• Creating dedicated IAM permissions
• Configuring the Wazuh AWS module
• Collecting CloudTrail events
• Viewing logs in the Wazuh Dashboard
• Creating custom detection rules
• Monitoring compliance-related activity

By integrating CloudTrail with Wazuh, security teams gain access to centralized monitoring, real-time alerting, event correlation, and long-term log retention capabilities that significantly enhance AWS security operations.

Key benefits include:

• Detection of unauthorized IAM changes
• Monitoring root account activity
• Identifying privilege escalation attempts
• Detecting public S3 bucket exposure
• Tracking infrastructure modifications
• Supporting compliance and audit requirements

As cloud environments continue to grow in complexity, proactive monitoring becomes increasingly important.

Waiting until after a security incident occurs often results in longer investigations, increased costs, and greater business impact.

CloudTrail provides the visibility, while Wazuh transforms that visibility into actionable security intelligence.

Next Steps

Once CloudTrail monitoring is operational, consider expanding your AWS security monitoring strategy by integrating additional AWS services with Wazuh, including:

• Amazon CloudWatch
• AWS GuardDuty
• AWS Security Hub
• AWS Config
• Amazon VPC Flow Logs
• Amazon Inspector

These integrations provide additional layers of visibility and help create a more comprehensive cloud security monitoring platform.

For further reading, you may also find these guides helpful:

Wazuh Agent Not Connecting to Manager? 12 Proven Fixes
How to Create Custom Detection Rules in Wazuh (With Examples)
How to Configure File Integrity Monitoring (FIM) in Wazuh
Security Onion vs Wazuh
Wazuh vs OpenSearch
How to Install a Wazuh Agent on Windows Server

By combining AWS CloudTrail with Wazuh’s detection and response capabilities, organizations can significantly strengthen their ability to detect, investigate, and respond to cloud security threats before they become major incidents.