How to load data from AWS CloudTrail to S3

Learn how to use Airbyte to synchronize your AWS CloudTrail data into S3 within minutes.

Try Airbyte Cloud
Get a demo

Trusted by data-driven companies

Building your pipeline or Using Airbyte

Airbyte is the only open source solution empowering data teams  to meet all their growing custom business demands in the new AI era.

Building in-house pipelines
Bespoke pipelines are:
  • Inconsistent and inaccurate data
  • Laborious and expensive
  • Brittle and inflexible
Furthermore, you will need to build and maintain Y x Z pipelines with Y sources and Z destinations to cover all your needs.
After Airbyte
Airbyte connections are:
  • Reliable and accurate
  • Extensible and scalable for all your needs
  • Deployed and governed your way
All your pipelines in minutes, however custom they are, thanks to Airbyte’s connector marketplace and AI Connector Builder.

Start syncing with Airbyte in 3 easy steps within 10 minutes

Set up a AWS CloudTrail connector in Airbyte

Connect to AWS CloudTrail or one of 400+ pre-built or 10,000+ custom connectors through simple account authentication.

Set up S3 for your extracted AWS CloudTrail data

Select S3 where you want to import data from your AWS CloudTrail source to. You can also choose other cloud data warehouses, databases, data lakes, vector databases, or any other supported Airbyte destinations.

Configure the AWS CloudTrail to S3 in Airbyte

This includes selecting the data you want to extract - streams and columns -, the sync frequency, where in the destination you want that data to be loaded.
Try Airbyte Cloud

Take a virtual tour

Check out our interactive demo and our how-to videos to learn how you can sync data from any source to any destination.

Demo video of Airbyte Cloud

Demo video of AI Connector Builder

Talk to our team

What sets Airbyte Apart

Modern GenAI Workflows

Streamline AI workflows with Airbyte: load unstructured data into vector stores like Pinecone, Weaviate, and Milvus. Supports RAG transformations with LangChain chunking and embeddings from OpenAI, Cohere, etc., all in one operation.

Move Large Volumes, Fast

Quickly get up and running with a 5-minute setup that supports both incremental and full refreshes, for databases of any size.

An Extensible Open-Source Standard

More than 1,000 developers contribute to Airbyte’s connectors, different interfaces (UI, API, Terraform Provider, Python Library), and integrations with the rest of the stack. Airbyte’s AI Connector Builder lets you edit or add new connectors in minutes.

Full Control & Security

Airbyte secures your data with cloud-hosted, self-hosted or hybrid deployment options. Single Sign-On (SSO) and Role-Based Access Control (RBAC) ensure only authorized users have access with the right permissions. Airbyte acts as a HIPAA conduit and supports compliance with CCPA, GDPR, and SOC2.

Fully Featured & Integrated

Airbyte automates schema evolution for seamless data flow, and utilizes efficient Change Data Capture (CDC) for real-time updates. Select only the columns you need, and leverage our dbt integration for powerful data transformations.

Enterprise Support with SLAs

Airbyte Self-Managed Enterprise comes with dedicated support and guaranteed service level agreements (SLAs), ensuring that your data movement infrastructure remains reliable and performant, and expert assistance is available when needed.

What our users say

Jean-Mathieu Saponaro
Data & Analytics Senior Eng Manager

"The intake layer of Datadog’s self-serve analytics platform is largely built on Airbyte.Airbyte’s ease of use and extensibility allowed any team in the company to push their data into the platform - without assistance from the data team!"

Learn more
Chase Zieman headshot
Chase Zieman
Chief Data Officer

“Airbyte helped us accelerate our progress by years, compared to our competitors. We don’t need to worry about connectors and focus on creating value for our users instead of building infrastructure. That’s priceless. The time and energy saved allows us to disrupt and grow faster.”

Learn more
Alexis Weill
Data Lead

“We chose Airbyte for its ease of use, its pricing scalability and its absence of vendor lock-in. Having a lean team makes them our top criteria.
The value of being able to scale and execute at a high level by maximizing resources is immense”

Learn more

How to Sync AWS CloudTrail to S3 Manually

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. Choose Create bucket.
  3. Provide a unique Bucket name and select the Region where you want the bucket to reside.
  4. Configure options according to your needs (versioning, logging, encryption, etc.).
  5. Set up permissions carefully to ensure the bucket is secure.
  6. Review and create the bucket.
  1. Open the AWS CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
  2. In the dashboard, choose Trails in the left navigation pane.
  3. Select the trail you want to update.
  4. In the Storage location section, click the pencil icon (edit) next to S3 bucket.
  5. Enter the name of the new S3 bucket you created in Step 1.
  6. Save your changes.

If you have an IAM policy that specifically allows CloudTrail to write to the old S3 bucket, you’ll need to update it to allow CloudTrail to write to the new bucket.

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. Navigate to Policies.
  3. Find the policy attached to the CloudTrail service that grants access to the old S3 bucket.
  4. Edit the policy to include the new S3 bucket ARN in the resource section.

For example:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": "s3:PutObject",
           "Resource": "arn:aws:s3:::new-bucket-name/AWSLogs/*",
           "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
       }
   ]
}

  1. Review and save the policy.
  1. Go back to the Amazon S3 console.
  2. Select the new bucket and click on the Permissions tab.
  3. Click on Bucket Policy.
  4. Enter a policy that grants CloudTrail the necessary permissions to write to the bucket.

Example policy:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "AWSCloudTrailWrite",
           "Effect": "Allow",
           "Principal": {
               "Service": "cloudtrail.amazonaws.com"
           },
           "Action": "s3:PutObject",
           "Resource": "arn:aws:s3:::new-bucket-name/AWSLogs/*",
           "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
       }
   ]
}

  1. Click Save to apply the bucket policy.
  1. After updating the trail to use the new bucket, AWS CloudTrail will start delivering logs to the new S3 bucket.
  2. To verify that logs are being delivered, go to the CloudTrail console, select the trail, and then look at the Recent delivery history.
  3. You can also go directly to the S3 bucket and check if new log files are appearing.
  • If logs are not appearing in the new bucket, check CloudTrail for any error messages.
  • Verify that the S3 bucket policies and IAM policies are correctly configured.
  • Ensure that there are no network ACLs or S3 Block Public Access settings that could be preventing CloudTrail from delivering logs to the new bucket.

How to Sync AWS CloudTrail to S3 Manually - Method 2:

FAQs

ETL, an acronym for Extract, Transform, Load, is a vital data integration process. It involves extracting data from diverse sources, transforming it into a usable format, and loading it into a database, data warehouse or data lake. This process enables meaningful data analysis, enhancing business intelligence.

AWS CloudTrail is a web service developed to simplify and provide assistance with AWS accounts. Enabling compliance, governance, and operational and risk auditing, it allows users to monitor, log, and document AWS account-related activity in an easily searchable format. With its comprehensive account event history function, CloudTrail helps users analyze and troubleshoot security and operational issues, detect unusual account activity, and much more by increasing visibility into customers’ user and resource activity.

AWS CloudTrail provides access to a wide range of data related to AWS account activity and resource usage. The following are the categories of data that can be accessed through the API:  

1. Event history: This includes information about all the events that have occurred in an AWS account, such as API calls, console sign-ins, and resource changes.  
2. Resource activity: This category includes data related to the usage of AWS resources, such as EC2 instances, S3 buckets, and RDS databases.  
3. User activity: This category includes data related to user activity in an AWS account, such as user sign-ins, password changes, and access key usage.  
4. Security analysis: This category includes data related to security events in an AWS account, such as failed login attempts, unauthorized access attempts, and changes to security groups.  
5. Compliance auditing: This category includes data related to compliance auditing in an AWS account, such as changes to IAM policies, CloudTrail configuration changes, and VPC network changes.  

Overall, the AWS CloudTrail API provides a comprehensive view of AWS account activity and resource usage, making it a valuable tool for monitoring and managing AWS environments.

This can be done by building a data pipeline manually, usually a Python script (you can leverage a tool as Apache Airflow for this). This process can take more than a full week of development. Or it can be done in minutes on Airbyte in three easy steps: 
1. Set up AWS CloudTrail to S3 as a source connector (using Auth, or usually an API key)
2. Choose a destination (more than 50 available destination databases, data warehouses or lakes) to sync data too and set it up as a destination connector
3. Define which data you want to transfer from AWS CloudTrail to S3 and how frequently
You can choose to self-host the pipeline using Airbyte Open Source or have it managed for you with Airbyte Cloud. 

ELT, standing for Extract, Load, Transform, is a modern take on the traditional ETL data integration process. In ELT, data is first extracted from various sources, loaded directly into a data warehouse, and then transformed. This approach enhances data processing speed, analytical flexibility and autonomy.

ETL and ELT are critical data integration strategies with key differences. ETL (Extract, Transform, Load) transforms data before loading, ideal for structured data. In contrast, ELT (Extract, Load, Transform) loads data before transformation, perfect for processing large, diverse data sets in modern data warehouses. ELT is becoming the new standard as it offers a lot more flexibility and autonomy to data analysts.

What should you do next?

Hope you enjoyed the reading. Here are the 3 ways we can help you in your data journey:

flag icon
Easily address your data movement needs with Airbyte Cloud
Take the first step towards extensible data movement infrastructure that will give a ton of time back to your data team. 
Get started with Airbyte for free
high five icon
Talk to a data infrastructure expert
Get a free consultation with an Airbyte expert to significantly improve your data movement infrastructure. 
Talk to sales
stars sparkling
Improve your data infrastructure knowledge
Subscribe to our monthly newsletter and get the community’s new enlightening content along with Airbyte’s progress in their mission to solve data integration once and for all.
Subscribe to newsletter

Connectors Used

AWS CloudTrail
S3

Related Syncs with AWS CloudTrail

AWS CloudTrail to BigQuery
AWS CloudTrail to Databricks Lakehouse
AWS CloudTrail to Firebolt
AWS CloudTrail to Redshift
AWS CloudTrail to S3
AWS CloudTrail to S3 Glue
AWS CloudTrail to Snowflake Data Cloud
AWS CloudTrail to Teradata

Tags

Amazon Web Services