AWS CloudTrail Lake integration
In order to enable the AWS CloudTrail Lake integration you must do the following:
- 1.Add a Snyk integration in AWS CloudTrail Lake.
- 2.Configure the integration in Snyk.
Choose Snyk Add integration for Snyk
Organization ID on Snyk settings page
Copy your Snyk Organization ID to the External ID field in the AWS CloudTrail Lake integration setup and continue following the instructions in the AWS CloudTrail Lake documentation.
When you are done creating the Snyk integration in AWS CloudTrail Lake, copy the Channel ARN that is displayed on the integration page. You will need this for the next step.
After creating the integration in AWS CloudTrail Lake, configure the integration on the Snyk side so that Snyk can start sending logs.
CloudTrail Lake tile on Snyk integrations page
Enter a name for this integration, your AWS Account ID, and the Channel ARN from the previous step.
Integration name, AWS Account ID, Channel ARN
Once this step is complete, Snyk will begin forwarding audit logs to AWS CloudTrail Lake immediately. You can click View settings or go to the AWS CloudTrail Lake settings page to view and manage the integration.
Select AWL CloudTrail Lake integration to remove
Select Remove integration and confirm that you want to remove the integration.
Remove integration button
This action removes Snyk’s configuration for this integration, which will prevent any further audit logs from being sent to AWS CloudTrail Lake. This does not remove the Snyk integration in AWS CloudTrail Lake. To do this, go to AWS CloudTrail Lake and delete the Snyk integration from the Integration list.
Once your Snyk audit logs are being forwarded to AWS CloudTrail Lake, you can access them with the AWS CloudTrail Lake Query functionality. You can use this example query to get started:
order by eventTime desc
<EVENT-DATA-STORE-ID>with the ID of the event data store that is associated with the Snyk integration in AWS CloudTrail Lake.
There are three (3) key fields to note when using the Snyk audit log data in AWS CloudTrail Lake.
useridentitycontains a field called
principalid, which represents the Snyk user ID for the user associated with the audit event. You can use Snyk API v1 Get organization level audit logs to match the Snyk user ID with a user in your organization.
This represents the type of audit event (for example,
org.cloud_config.settings.edit) and can be used to group or filter events.
This field contains a raw JSON payload with more detailed information about the audit event. The content of the payload depends on the type of the event. For example, an API access event will include the accessed URL, while a settings change event will include before and after values for the changed setting.