Follow our setup guide to connect AWS CloudTrail to Fivetran.
Prerequisiteslink
To connect AWS CloudTrail to Fivetran, you need:
- An S3 bucket set up to receive log files from CloudTrail (see Amazon’s CloudTrail documentation for details)
- For private buckets, an AWS account with the ability to grant Fivetran permission to read from the bucket
In Fivetranlink
- Go to your Fivetran dashboard and click on + Connector.
- Select the AWS CloudTrail connector to launch the setup form.
- Find the automatically-generated External ID and make a note of it. You will need it to configure AWS to connect with Fivetran.
NOTE: The automatically-generated External ID is tied to your account. If you close and re-open the setup form, the ID will remain the same. You may wish to keep the tab open in the background while you configure your source for convenience, but closing it is also OK.
In AWSlink
Create an IAM Policylink
This step will allow Fivetran to access your S3 bucket.
-
Open the Amazon IAM console.
-
Go to Policies, then select Create Policy.
-
Go to the JSON tab.
-
Copy the following policy and paste it in the JSON tab, replacing “{your-bucket-name}” with the name of your s3 bucket.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::{your-bucket-name}/*" }, { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::{your-bucket-name}" } ] }
-
Click Review Policy.
-
Name the policy “Fivetran-cloudtrail-Access.”
-
Click Create Policy.
Create an IAM role link
-
Go to Roles, then select Create Role.
-
Select Another AWS Account, then enter Fivetran’s account ID,
834469178297
. -
Select Require external ID checkbox.
-
Enter the External ID you got from the Fivetran AWS CloudTrailsetup form.
-
Click Next: Permissions.
-
Select the policy “Fivetran-cloudtrail-Access” that you created earlier.
-
Click Next: Tags which is optional.
-
Click Next: Review.
-
Name your new role “Fivetran” and click Create Role.
-
Select the Fivetran the role you just created.
-
Find the Role ARN and make a note of it. You will need it to fill in you Fivetran AWS CloudTrail setup form.
Set permissions (Optional)link
You can specify permissions for the Role ARN that you designate for Fivetran. Giving selective permissions to this Role only allows Fivetran to sync what it has permissions to see.
In Fivetranlink
- Return to the tab with your Fivetran setup form.
- Enter your desired destination schema name.
- Enter your Bucket Name.
- Enter your Role ARN.
- Enter the prefix if you used one when setting up bucket for AWS CloudTrail.
- Click Save & Test. Fivetran will take it from here and sync your data from AWS CloudTrail.