- 07 Aug 2025
- 11 Minutes to read
- PDF
Integrate Amazon Web Services (AWS) with Red Canary
- Updated on 07 Aug 2025
- 11 Minutes to read
- PDF
Red Canary can ingest CloudTrail logs and GuardDuty findings from your Amazon Web Services (AWS) environment, as well as make regular scans of the AWS environment to find newly-created accounts and resources, ensuring that data is properly attributed and monitored as the environment grows and evolves. By integrating AWS with Red Canary, you can enhance your cloud security operations by centralizing monitoring, enabling effective threat detection and response, and facilitating automated actions.
CloudTrail
AWS CloudTrail monitors and records account activity across your AWS infrastructure and writes the results to logs. To ingest this data, Red Canary requires the CloudTrail logs to be stored in an S3 bucket. We then monitor the ingested logs for signs of suspicious activity.
GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts, workloads, and data for malicious activity and delivers detailed security findings for visibility and remediation. To ingest this data, Red Canary requires the GuardDuty findings to be stored in an S3 bucket. We then bring the GuardDuty findings into our system as alerts, analyze them for signs of suspicious activity, and correlate them with the CloudTrail telemetry. Although you can integrate AWS and Red Canary without GuardDuty, we strongly recommend turning it on. For more information, see the AWS Integration FAQ.
Account Limits
Red Canary restricts all cloud integrations to 2,000 accounts or external services in a single subdomain. Please contact your Customer Success Manager if you anticipate hitting this limit.
Prerequisites
Before you start the Amazon Web Services integration, please make sure the following requirements are met:
You’re subscribed to Red Canary’s Cloud Control Plane license
You have the following AWS infrastructure in place:
CloudTrail is set up to store its logs in an S3 bucket
GuardDuty (if used) is set up to store its findings in an S3 bucket
ACLs are disabled on the S3 buckets (recommended by Amazon)
You have an AWS Console admin account with permissions to:
Create Simple Notification Service (SNS) topics
Adjust resource policies on SNS topics
Set notifications on S3 buckets
Adjust resource policies on S3 buckets
Adjust resource policies on KMS keys
Create IAM roles
1 Red Canary | Add the Integration
The first step is to add the new integration in Red Canary.
From your Red Canary homepage, go to the Integrations page then click Add Integration.
On the Add integration dialog, search for the Amazon Web Services integration then click Configure.
On the Add Integration page, enter a name for the integration.
Autodetect
You can optionally use the Autodetect wizard to scan your AWS environment and automatically fill out many of the integration values required in the steps below.
Click Autodetect and follow the instructions on the Autodetect your AWS configuration dialog to retrieve the values. Then click Use autodetected values to populate the fields on the configuration page.
If any of the values can’t be autodetected, or if you need to override any of the suggestions, you can still complete all the steps manually as described below.
2 Red Canary/AWS | Choose the Integration Scope
You can choose to integrate a single account, or you can integrate multiple accounts simultaneously if they’re grouped under an AWS organization.
In the Choose the scope of integration section, select the scope:
Organization - Scan your AWS organization and all its member accounts
Account - Scan a single AWS account
If you chose Organization scope:
If you don’t already know your AWS Organization ID and AWS Management Account ID, copy them from the AWS Organizations dashboard in your AWS Console.
Enter the AWS Organization ID and AWS Management Account ID into the Red Canary configuration page.
Select the accounts you want to include:
All accounts in this organization - Scan every account. You can optionally enter a comma-separated list of account IDs that will be excluded from the scan.
Only specific accounts - Enter a comma-separated list of the accounts you want to scan.Click Next.
If you chose Account scope:
If you don’t already know your AWS Account ID, copy it from the Billing and Cost Management > Account page in your AWS Console.
For additional help, see Finding your AWS account ID.Enter the AWS Account ID into the Red Canary configuration page.
Click Next.
3 Red Canary/AWS | Identify the CloudTrail S3 Bucket
Red Canary reads your CloudTrail logs from an S3 bucket. In order to configure the integration, you’ll need to provide the ARN of the S3 bucket and (optionally) the KMS key used to encrypt the bucket.
Red Canary also needs to subscribe to an SNS topic in order to receive messages as data is added to the S3 bucket.
Note
Creating a new CloudTrail for Red Canary could increase your AWS bill. To avoid additional costs, we recommend using a pre-existing CloudTrail. For more information, see Managing CloudTrail trail costs.
Get the ARN of the CloudTrail Logs S3 Bucket
Navigate to the CloudTrail Dashboard in your AWS Console.
In the Trails panel, click on the active Trail name.
Click the Trail log location.
Click the CloudTrail location in the breadcrumbs section.
Go to the Properties tab and copy the Bucket ARN.
Get the ARN of the CloudTrail S3 Bucket KMS Encryption Key
Note
AWS doesn’t require encryption for the CloudTrail S3 bucket. If you’re not using encryption, you can skip this step.
Navigate to the Amazon S3 > General purpose buckets page in your AWS Console.
In the General purpose buckets panel, click on the bucket you’re using to send data to Red Canary.
Go to the Properties tab and copy the Encryption key ARN from the Default encryption panel.
Note
The Encryption key ARN won’t be displayed if KMS encryption isn’t enabled. To change the default encryption:
Click Edit.
Change Encryption type to “Server-side encryption with AWS Key Management Service keys (SSE-KMS)”
Choose an existing KMS key, or create a new one. The Key usage must be “Encrypt and decrypt.”
Save the changes then copy the resulting Encryption key ARN.
Enter the CloudTrail ARNs into Red Canary
In the Identify S3 bucket containing CloudTrail logs and SNS Topic section on the Red Canary configuration page, enter the Bucket ARN and Encryption key ARN.
Create an SNS Topic for CloudTrail Logging Bucket Notifications
You need to set up an SNS topic in AWS to receive event notifications when data is added to the CloudTrail logs S3 bucket.
Navigate to the Simple Notification Service page in your AWS Console.
Click Create topic.
Choose Standard as the topic type and enter a topic name.
Click Create topic.
Copy the SNS topic ARN.
Enter the SNS topic ARN on the Red Canary configuration page.
Note
If your SNS topic and KMS key belong to different AWS accounts, you’ll need to update the key policy in AWS to enable cross-account KMS access. The configuration page will auto-generate the JSON statement you can use to update the policy.
Click Next.
Send CloudTrail S3 Bucket Event Notifications to the SNS Topic
You need to configure the S3 bucket to send notifications to the SNS topic whenever a data event occurs.
Navigate to the Amazon S3 > General purpose buckets page in your AWS Console.
In the General purpose buckets panel, click on the bucket you’re using to send data to Red Canary.
Go to the Properties tab.
In the Event notifications panel, click Create event notification.
Enter a name for your event notification.
In the Event types panel, select All object create events.
Important
Please leave the optional Prefix and Suffix values blank unless you’re confident you understand the effect of these filters in your environment. Misconfiguration can prevent event notifications being sent to Red Canary.
In the Destination panel, select SNS topic and choose the topic you created earlier.
Click Save changes.
If the topic is correctly set up, you should see it populate with two subscriptions after you finish and activate the integration.
4 Red Canary/AWS | Identify the GuardDuty S3 Bucket
Red Canary reads your GuardDuty alerts from an S3 bucket. In order to configure the integration, you’ll need to provide the ARN of the S3 bucket and the KMS key used to encrypt the bucket.
Red Canary also needs to subscribe to an SNS topic in order to receive messages as data is added to the S3 bucket.
OPTIONAL
If you don’t want Red Canary to ingest your GuardDuty alerts, you can skip this section and leave the GuardDuty fields blank on the integration configuration page.
Note that if you decide to add GuardDuty alerts later, you’ll need to repeat Step 5 below to re-provision the IAM role and update the permissions.
Get the ARNs of the GuardDuty Alerts S3 Bucket and KMS Encryption Key
Navigate to the GuardDuty > Settings page in your AWS Console.
In the Findings export options panel, click Edit for the S3 bucket.
Copy the S3 Bucket ARN and the KMS Key ARN.
Click Cancel.
Enter the GuardDuty ARNs into Red Canary
In the Identify S3 bucket containing GuardDuty alerts and SNS Topic section on the Red Canary configuration page, enter the two ARNs for GuardDuty.
Create an SNS Topic for GuardDuty Alerts Bucket Notifications
You need to set up an SNS topic in AWS to receive event notifications when data is added to the GuardDuty alerts S3 bucket. The steps for creating the SNS topic are the same as for CloudTrail (see Create an SNS Topic for CloudTrail Logging Bucket Notifications).
After you’ve created the SNS topic in AWS, enter the ARN on the Red Canary configuration page.
Click Next.
Send GuardDuty S3 Bucket Event Notifications to the SNS Topic
The steps for setting up an SNS topic to receive GuardDuty event notifications are the same as for CloudTrail (see Send CloudTrail S3 Bucket Event Notifications to the SNS Topic).
5 Red Canary/AWS | Provision an IAM Role
To give Red Canary the necessary access, you need to provision an appropriately-configured IAM role in your AWS environment. The integration UI will generate a template which contains all the values needed to create the role. By default, the role name is redcanary-partner-access.
Generate the Template in Red Canary
In the Provision an IAM role in the Account(s) Being Configured section on the Red Canary configuration page, select CloudFormation or Terraform to generate the appropriate template.
Copy and paste the template into a new file and save it. You’ll upload this file to AWS later.
Provision the IAM Role in AWS
To provision the IAM role for Red Canary to use, you must apply the CloudFormation or Terraform template to the appropriate accounts in AWS. The process is different depending on whether your integration scope is Organization or Account.
If you’re integrating at the Organization level, follow these instructions to ensure Red Canary has the necessary role in all the accounts.
Important
When creating roles at the Organization level, make sure you’re logged in to the management account in AWS.
For CloudFormation
In CloudFormation you need to create a single stack and deploy it to your management account first. You can then use the same template to generate a stack set for deployment to the rest of the accounts in the organization.
Create a Stack
Navigate to the CloudFormation > Stacks page in your AWS Console.
Click Create stack and select With new resources (standard).
On the Create stack page:
In the Prerequisite - Prepare template panel, select Choose an existing template
In the Specify template panel, select Upload a template file
Click Choose file to upload the template file you created earlier
Click Next.
On the Specify stack details page, enter a name for your new stack and click Next.
On the Configure stack options page, accept the acknowledgment message and click Next.
On the Review and create page, copy the Template URL. You’ll use this to create a stack set for the rest of the accounts in the organization.
Click Submit to create the stack.
Create a StackSet
Navigate to the CloudFormation > StackSets page in your AWS Console.
Click Create Stackset.
On the Choose a template page:
In the Prerequisite - Prepare template panel, select Template is ready
In the Specify template panel, enter the Amazon S3 URL for the template which you copied when you created the stack
Click Next.
On the Specify StackSet details page, enter a name for your new stack set and click Next.
On the Configure StackSet options page, accept the acknowledgment message and click Next.
On the Set deployment options page:
In the Deployment targets panel, make sure you’re deploying to the organization
In the Specify Regions panel, select the regions you want to deploy the stacks to (typically, all regions)
In the Deployment options panel, adjust the Failure tolerance setting to address any potential failures
Click Next.
On the Review page, click Submit to create the stack set.
For Terraform
Terraform usage is dependent on your environment. If you need assistance with the Terraform template, please contact Red Canary Support.
If you’re integrating individual AWS accounts, follow these instructions to deploy the IAM role for each account.
For CloudFormation
Navigate to the CloudFormation > Stacks page in your AWS Console.
Click Create stack and select With new resources (standard).
On the Create stack page:
In the Prerequisite - Prepare template panel, select Choose an existing template
In the Specify template panel, select Upload a template file
Click Choose file to upload the template file you created earlier
Click Next.
On the Specify stack details page, enter a name for your new stack and click Next.
On the Configure stack options page, accept the acknowledgment message and click Next.
On the Review and create page, click Submit to create the stack.
For Terraform
Terraform usage is dependent on your environment. If you need assistance with the Terraform template, please contact Red Canary Support.
Confirm the IAM Role in Red Canary
When you’ve finished provisioning the IAM role in AWS, check the Access granted box on the Red Canary configuration page.
6 Red Canary | Activate the Integration
After you’ve completed the configuration, click Save to activate the integration.
The AWS integration is now live!
You should see AWS alerts start appearing in Red Canary within one hour.
7 Red Canary | Modify the Integration
After the AWS integration is active, you can make the following modifications to the configuration:
Change the S3, SNS, and KMS ARNs
Edit the list of included/excluded AWS accounts
Add or remove GuardDuty
Decommission the integration
To modify the configuration:
From your Red Canary homepage, go to the Integrations page then click on the name of the integration you want to modify.
After you’ve finished the editing the configuration, click Save to apply your changes.
Decommissioning the Integration
To remove the integration from Red Canary, click the button then click OK to confirm.
Important
If you decommission the integration, no new alerts will be sent to Red Canary. Although threats will be retained, all processed alerts will be deleted. This action cannot be undone.