To ensure a successful integration between Red Canary and AWS, make sure you configure CloudTrail and GuardDuty (if used) as described below.
CloudTrail Setup
For step-by-step instructions on how to set up CloudTrail, please refer to the following AWS documentation:
Organization level: Creating a trail for your organization in the console
Account level: Creating a trail with the CloudTrail console
Red Canary requires the following CloudTrail configuration:
Use the default folder structure that CloudTrail creates in S3. Please do not add an optional prefix.
Configure your trail to log events for all regions.
Configure your trail to log management events and read/write events. See Management events.
[For organizational-level integrations] Set up CloudTrail as an organizational trail to log all events for all AWS accounts in the organization. Red Canary’s status checks will fail if CloudTrail is only configured for the management account and not member accounts. See Creating a trail for an organization.
GuardDuty Setup
For step-by-step instructions on how to set up and configure GuardDuty to export findings, please refer to the following AWS documentation:
Red Canary requires the following GuardDuty configuration:
Use the default folder structure that GuardDuty creates in S3. Please do not add an optional prefix.
Don’t use GuardDuty suppression rules. See Deleting suppression rules in GuardDuty.
[Highly recommended] Enable GuardDuty for all accounts that we’re monitoring. See Managing GuardDuty accounts with AWS Organizations.
Additional Recommendations for Organization-Level Integrations
Please review your Service Control Policies (SCPs) to check if any will prevent access. See Service control policies.
If you’re using Control Tower, please review your settings. You may need to grant Red Canary regional access.