AWS CloudTrail Lake
Transition to Snyk Apps
Snyk is transitioning event forwarding integrations to use the Snyk Apps platform. This change will enable new features and enhanced security across current and future Cloud Events integrations.
During the transition, existing integrations will continue to function normally and customers will have the opportunity to authorize the integrations to ensure they continue working once they become Snyk Apps. You can complete authorization for existing integrations by following these steps:
Go to the Settings page for your Organization
Go to the settings section for the integration you want to authorize (e.g. Amazon EventBridge, AWS CloudTrail Lake, AWS Security Hub)
Click the Authorize app button and complete the App authorization flow
At the end of the transition window, integrations that have not been authorized will no longer be able to forward events and will cease functioning.
Feature availability The AWS CloudTrail Lake integration is available only with Snyk Enterprise plans. For more information, see plans and pricing.
The AWS CloudTrail Lake integration allows you to forward Snyk audit logs to AWS CloudTrail Lake, which lets you run SQL-based queries on your logs and retain them for up to seven (7) years.
This integration can be configured to forward audit logs for a single Snyk Organization, or for a Snyk Group and all of its child Organizations. In either case, there are two steps required to set up the integration:
Add a Snyk integration in AWS CloudTrail Lake.
Configure the integration in Snyk.
This integration sends logs beginning when you enable it. Logs generated before enabling the integration are not sent but may be available from the API endpoint Search Organization audit logs.
Group-level versus Organization-level audit logs
Audit logs are captured when Snyk users perform actions on the Snyk platform, such as making changes to settings, adding other users, or accessing protected APIs. When you are setting up this integration, it is important to understand how audit logs are captured, based on how a customer's Snyk account is set up:
For customers using Snyk with a single Snyk Organization (or with multiple disconnected Organizations), all audit logs are captured within the scope of the single Organization.
For customers who have a Snyk Group with child Organizations, actions such as adding new Organizations to the group or adding users to the group are audited at the Group level, and are not typically associated with an Organization.
This integration supports both use cases:
Integrate CloudTrail Lake with a single Snyk Organization
All audit logs associated directly with that Organization will be sent to CloudTrail Lake.
If the Organization has a parent Group, actions taken on that Group are not sent to CloudTrail Lake.
If the Organization has members who are also members of other Organizations and Groups, actions taken by those members will only be sent to CloudTrail Lake if they are directly associated with the Organization.
Integrate CloudTrail Lake with a Snyk Group and all of its child Organizations
All audit logs associated with the Group or any of its child Organizations will be sent to CloudTrail Lake.
When new Organizations are added to the Group, audit logs for those Organizations will be sent automatically to CloudTrail Lake.
Add a Snyk integration in AWS CloudTrail Lake
To get started setting up a CloudTrail Lake integration, whether for a group or a single Organization, follow the setup instructions in the AWS CloudTrail Lake documentation, choosing Snyk as the integration type.
During the setup, you must supply an External ID for the integration. The value for this ID depends on whether you are setting up the integration for a single Snyk Organization, or for a Snyk Group that includes all child Organizations.
External ID for a Single Snyk Organization
If you are creating this integration for a single Snyk Organization, you will use your Snyk Organization ID as the External ID. You can find your Organization ID under Snyk Organization Settings.
Copy the value in the Organization ID field to the External ID field in the AWS CloudTrail Lake integration setup and continue following the instructions in the AWS CloudTrail Lake documentation.
External ID for a Snyk group
If you are setting up this Organization for a Snyk Group, which will automatically include all child organizations, you will use your Snyk Group ID as the External ID. You can find your Group ID by clicking on the name of your Snyk group in the Snyk dashboard, and then navigating to the Settings page.
Copy the value in the Group ID field to the External ID field in the AWS CloudTrail Lake integration setup and continue following the instructions in the AWS CloudTrail Lake documentation.
CloudTrail Lake Channel ARN
When you are finsihed creating the Snyk integration in AWS CloudTrail Lake, copy the Channel ARN that is displayed on the integration page. You will need this for the next step.
Configure the integration in Snyk (single Organization)
After creating the integration in AWS CloudTrail Lake, you can complete the setup in the Snyk dashboard.
To do this, go to the Snyk integrations page, navigate to Cloud events, and click the AWS CloudTrail Lake tile:
Enter a name for this integration, your AWS Account ID, and the Channel ARN from the previous step.
After this step is complete, Snyk immediately begins forwarding audit logs to AWS CloudTrail Lake. You can click View settings or go to the AWS CloudTrail Lake settings page to view and manage the integration.
Snyk App authorization
If this is the first time you have set up an AWS CloudTrail Lake integration for your Organization, you will be prompted to complete the Snyk App authorization flow.
After completing the authorization flow you will be redirected to the settings page for the integration.
Configure the integration in Snyk (Snyk Group and child Organizations)
Configuring and managing this integration for a group is only supported by the Snyk REST API.
To complete the setup of the integration for a Snyk Group, you must use the API endpoint Create a group registration.
You can use this sample request as a starting point:
Be sure to replace each indicated placeholder value in the example appropriately:
<YOUR GROUP ID>
- the Snyk Group ID you used in the previous step as the External ID<YOUR SNYK API TOKEN>
- your personal Snyk API token, which you can find in the Snyk dashboard under Account settings<NAME YOUR INTEGRATION>
- a name for this integration<YOUR AWS ACCOUNT ID>
- the AWS account ID for the AWS account form the previous step.<CHANNEL ARN FROM PREVIOUS STEP>
- the Channel ARN generated in the previous step when you added the Snyk integration in the CloudTrail Lake console.
If the call is successful, the API response will include an id
for the registration. You can use this ID to manage and delete the integration later.
Remove an AWS CloudTrail Lake integration (single Organization)
Navigate to the AWS CloudTrail Lake settings page and select the name of the integration you want to remove.
Select Remove integration and confirm that you want to remove the integration.
This action removes Snyk’s configuration for this integration, which will prevent any further audit logs from being sent to AWS CloudTrail Lake. This does not remove the Snyk integration in AWS CloudTrail Lake. To do this, navigate to AWS CloudTrail Lake and delete the Snyk integration from the Integration list.
Remove an AWS CloudTrail Lake integration (Snyk Group and child Organizations)
Configuring and managing this integration for a Group is supported only by the Snyk API. You can remove an integration using the endpoint Delete a group registration. For tips on how to use the API, see the section about configuring a group-level integration.
To delete a Group-level integration, retrieve the integration ID. This is the same ID that is returned by the API when you create a Group-level integration. You can also get all currently configured Group integrations with the endpoint List all group registrations.
Query Snyk audit logs in AWS CloudTrail Lake
When your Snyk audit logs are being forwarded to AWS CloudTrail Lake, you can access them with the AWS CloudTrail Lake Query functionality. You can use this example query to get started:
Replace <EVENT-DATA-STORE-ID>
with the ID of the event data store that is associated with the Snyk integration in AWS CloudTrail Lake.
Understanding the log data
There are three (3) key fields to note when using the Snyk audit log data in AWS CloudTrail Lake.
eventdata.useridentity
The event useridentity
contains a field called principalid
, which represents the Snyk user ID for the user associated with the audit event. You can use Snyk API v1 endpoint Get organization level audit logs to match the Snyk user ID with a user in your Organization.
eventdata.eventname
This represents the type of audit event, for example, api.access
or org.cloud_config.settings.edit,
and can be used to group or filter events.
eventdata.additionaleventdata
This field contains a raw JSON payload with more detailed information about the audit event. The content of the payload depends on the type of the event. For example, an API access event will include the accessed URL, while a settings change event will include before and after values for the changed setting.
Last updated