Our next-gen architecture is built to help you make sense of your ever-growing data Watch a 4-min demo video!

Back to All Integrations

AWS CloudTrail AWS CloudTrail

Last Updated: May. 23, 2023

Coralogix provides a predefined Lambda function to easily forward your CloudTrail logs straight to the Coralogix platform.

Make sure you have CloudTrail enabled or create a trail in your AWS account and setup storage in your S3 bucket.

If you don’t have an active trail yet, you can find instructions in the AWS documentation. As with all of our AWS integrations, we have a published application on the Serverless Application Repository.


  • Active trail in your AWS account
  • Permissions to create lambda functions


1. Log into your AWS console.

2. Navigate to the AWS Coralogix-CloudTrail application page.

3. Scroll to the bottom of the page and fill in the relevant fields.

Note! Ensure that the region in which the CloudFormation application is being run is identical to the region in which the CloudTrail S3 bucket exists.

4. Check the checkbox: I acknowledge that this app creates custom IAM roles and resource policies.

5. Click Deploy.

6. View your logs in your Coralogix dashboard.

Parameters & Details

Below is a table of references to the parameters you will see in the deployment screen.

Parameter NameDescription
Application NameName of the lambda function in your account
NotificationEmailFailure notification email address. Requires a working SNS with a validated domain.
S3BucketNameName of the S3 bucket with CloudTrail logs to watch
ApplicationNameApplication name as it appears in your Coralogix UI, i.e. CloudTrail
CoralogixRegionRegion [Europe, Europe2, India, Singapore, or US] associated with your Coralogix account domain. In case that you want to use a custom domain, leave this as default and input the custom domain in the CustomDomain field.
CustomDomainCoralogix custom domain. Leave empty if you do not use a custom domain.
FunctionArchitectureFunction supports x86_64 or arm64
FunctionMemorySizeMax memory for the function itself. Default is 1024.
FunctionTimeoutMaximum time in seconds the function may be allowed to run. Default is 300.
PrivateKeyYour Coralogix ‘Send Your Data’ API Key
SsmEnabledTrue if you want to store your Coralogix private_key as a secret and False if you do not
Layer_ARNYour Coralogix SecurityLayer ARN. Copy from the SSM serverless application on which the ARN was installed.
SubsystemNameSubsystem name as it appears in your Coralogix UI, i.e. AWS account ID
S3KeyPrefixPrefix of the path within the log. Allows you choose whether part or all of the bucket is shipped.
S3KeySuffixS3 path suffix to watch. Default is .json.gz.


Need help?

Our world-class customer success team is available 24/7 to walk you through your setup and answer any questions that may come up.

Feel free to reach out to us via our in-app chat or by sending us an email at [email protected].

On this page