This article explains how to connect AWS GovCloud Cloudtrail  to Workbench.


The AWS GovCloud Cloudtrail integration can't be onboarded using CloudFormation templates or Terraform. You must connect your GovCloud manually by following the steps below.


AWS Organizations isn't supported.

Server-side encryption with AWS-KMS

AWS KMS, which stands for Key Management Services, enables you to manage cryptographic keys for encrypting and decrypting data at rest. In AWS services that use server-side encryption (SSE), the service itself handles the encryption and decryption of data for a user or a service.

We use a custom AWS-managed key to encrypt all the data at rest, including CloudTrail logs, the CloudTrail log bucket, and messages in the SQS queue. The key policies include all the necessary permissions for AWS services to encrypt and decrypt data. The custom user responsible for tracking your AWS account uses a policy for decrypting the CloudTrail log S3 bucket with the AWS key.

Step 1: Configure CloudTrail

  1. Log in to the AWS GovCloud Cloudtrail console.

  2. Make sure you are in the region you want to be the home region for the new CloudTrail trail.

  3. Go to the CloudTrail service.

  4. Go to Trails.

  5. Create a new trail.

  6. For the new trail, type the following settings:

    1. In Name Trail, type the name of your new trail.

      The recommended name is GlobalCloudTrail.

    2. Click Create new S3 bucket, and type the name of a new bucket.

    3. If you use AWS Organizations, make sure that Enable for all accounts in my organization is selected.

    4. Click Log file SSE-KMS encryption to enable it, then do the following:

      1. Click New.

      2. Type a KMS alias.

    5. Click Log file validation to enable it.

    6. Click Next.

  7. Leave the CloudWatch Logs and Tags sections blank, and click Next.

  8. Select the required log events:

    1. Under Events, click Management events.

    2. Under Management events, click Read and Write.

    3. Click Next.

  9. Check the trail attributes you typed, and click Create Trail.

Step 2: Enable the SSE-KMS encryption for the S3 trail bucket

  1. Go to the S3 section.

  2. Click the S3 trail log bucket created in Step 1.

  3. Click Properties > Edit the Default Encryption.

  4. In Edit the Default Encryption, make the following changes:

    1. To enable server-side encryption, click Enable Server Side Encryption.

    2. In Encryption Type, click AWS Key Management Service key (SSE-KMS).

    3. In the AWS KMS key list, click Choose from your AWS KMS keys.

    4. Type the KMS alias given in Step 1, and click the alias.

    5. Select Enable Bucket Key.

    6. Make a note of the Bucket ARN.

  5. Click Save changes.

Step 3: Create an SQS queue to receive S3 notifications

  1. Go to the Simple Queue Service section.

  2. Click Create New Queue.

  3. In the new queue window, type the following settings:

    • Visibility timeout: 30 seconds.

    • Message retention period: 7 days.

    • Delivery delay: 0 seconds.

    • Maximum message size: 256 KB.

    • Receive message wait time: 0 seconds.

  4. Click Advanced.

    A text box opens.

  5. In the text box, paste the JSON snippet provided below.

        "Version": "2012-10-17",
        "Id": "__default_policy_ID",
        "Statement": [
                "Sid": "__owner_statement",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "*"
                "Action": "SQS:SendMessage",
                "Resource": "<your_sqs_queue_arn>",
                "Condition": {
                    "ArnLike": {
                        "aws:SourceArn": "<your_S3_bucket_arn>"
  6. For the Resource and aws:SourceArn keys, replace the placeholders with your custom values.

  7. To enable server-side encryption, click Enable Server Side Encryption.

  8. For Encryption key type, click AWS Key Management Service key (SSE-KMS).

  9. In Customer Master Key, type the KMS alias created in Step 1, and click the alias.

  10. Click Create Queue.

Step 4: Add the key policy

  1. Go to the KMS key created in Step 1.

  2. On the Key policy tab, click Edit.

  3. Copy the following JSON key policy snippet and paste it in Key policy, at the end of the existing key policies.

        "Sid": "Allow cloudtrail bucket to encrypt/decrypt SQS",
        "Effect": "Allow",
        "Principal": {
            "Service": ""
        "Action": [
        "Resource": "*",
        "Condition": {
            "StringLike": {
                "aws:SourceArn": "<your_S3_bucket_arn>"
  4. For the aws:SourceArn key, update the placeholder value with your custom value.

  5. Save the key policy.

    A general key configuration page opens.

  6. Make a note of the KMS ARN.

Step 5: Configure the S3 notifications

  1. Go to the S3 bucket with your CloudTrail logs created in Step 1.

  2. Go to Properties.

  3. Click Create event notifications.

  4. In General configuration, select the following settings:

    • In Event name, click ExpelNotifyQueue.

    • In Event Types, click All objects create events.

  5. In Destination, make the following changes:

    1. Click SQS Queue.

    2. Click Choose from your SQS queues.

    3. On the list, click the queue you created.


      If you don't see your queue, click Enter SQS queue ARN, and in the field, type the queue ARN.

  6. Save your changes.

Step 6: Create an IAM Policy

  1. Go to the IAM service.

  2. Go to Policies > Create Policy.

  3. Select the JSON tab and add the following permissions snippet:

        "Version": "2012-10-17",
        "Statement": [
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                "Resource": "*"
                "Effect": "Allow",
                "Action": [
                "Resource": "<YOUR_SQS_ARN>"
                "Effect": "Allow",
                "Action": [
                "Resource": "<YOUR_S3_ARN>/*"
                "Effect": "Allow",
                "Action": [
                "Resource": "<YOUR_KMS_KEY_ARN>"
  4. For the highlighted Resource keys, replace the placeholder values with your custom values.

  5. Save your changes.

Step 7: Create an IAM user and keys

  1. Go to the IAM service.

  2. Go to Access Management > Users.

  3. Create a new user.

    For the detailed procedure, see Creating an IAM user in your AWS account in the AWS documentation.

  4. Link the IAM policy created in Step 6 to the new user.

  5. For the new user, create an access key.

    You now have an access key and a secret access key.

Step 8: Send the required data to Expel

Expel takes care of onboarding the GovCloud connector in Workbench. Coordinate with your engagement manager to securely send the data needed to complete the onboarding to Expel.

Provide the following information:

  • Access keys



  • AWS GovCloud Region


This page was accurate at the time of writing, but changes happen. If you find the instructions are outdated, let us know via your engagement manager or account representative.