This article describes how to connect your new AWS CloudTrail to the Expel Workbench.

If you are connecting an existing CloudTrail, use the existing installation procedure instead.

If you are connecting an existing CloudTrail that includes Control Tower, use the Control Tower connection procedure instead.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

You need:

  • Permissions to create and modify IAM policies and roles in each AWS account you want Expel to monitor.

  • An AWS Management Account ID or individual AWS Account ID(s) for each account you're going to onboard.

  • The AWS region in which you want to create an SQS queue to notify Expel of available CloudTrail data.

Server Side Encryption with AWS-KMS

AWS KMS (key management services) allows you to manage cryptographic keys to encrypt/decrypt data at-rest. Many AWS services offer server side encryption (SSE) where the service is responsible for encrypting/decrypting the data on a principal’s (user/service) behalf.

We are encrypting all the data at rest (CloudTrail logs, CloudTrail log bucket and SQS queue messages) using a custom managed AWS key. All the required permissions for the AWS services to encrypt/decrypt data are specified in the key policies. Additionally, the custom role that this integration assumes to monitor your AWS account is attached with a policy to decrypt the CloudTrail log S3 bucket using this key.

Manual onboarding for new AWS CloudTrails

Step 1: Configure a global CloudTrail

  1. Log in to the AWS console. If you have multiple AWS accounts and use AWS Organizations, log into your primary account.

  2. Ensure you are in the region you want to be the Home region for the new CloudTrail. The CloudTrail collects data from all regions, but it is stored in S3 in a specific region. You need to supply this region to Expel Workbench later in this process.

  3. Navigate to the CloudTrail service and create a new trail.

  4. Select trail attributes.


    If you select an existing S3 bucket or KMS key, the integration doesn't work. Contact your engagement manager for help.

    • Name Trail: we recommend GlobalCloudTrail.

    • Select Create new S3 bucket and name bucket.

    • When creating a new trail, make sure that Enable for all accounts in my organization is selected if you are using AWS Organizations.

    • Enable Log file SSE-KMS encryption. Select New and type a KMS alias.

    • Enable Log file validation.

    • (Optional) If you are using SNS, select SNS Topic.

  5. Leave the CloudWatch Logs and Tags sections blank and click Next.

  6. Select log events.

    • Events: only select Management events. Leave the rest cleared.

    • Management events: select Read and Write. Leave Exclude AWS KMS events clear.

    • Click Next.

  7. Verify Trail attributes and click Create Trail.


Step 2: Enable SSE-KMS encryption in the log S3 bucket

To enable Server Side Encryption (SSE) in the Trail log bucket, you must edit the configuration of the trail log bucket.

  1. Navigate to S3 and select the S3 trail log bucket created in Step 1. Select the Properties tab and Edit the Default Encryption section.

  2. Edit the Default Encryption as follows:

    • Enable Server Side Encryption.

    • For Key Type, select AWS Key Management Service key (SSE-KMS).

    • For AWS KMS key, select Choose from your AWS KMS keys.

    • Type the key alias given in Step 1 and select it.

    • (Optional) Enable Bucket Key.

    • Note the Bucket ARN.

  3. Click Save changes.

Step 3: Create an SQS queue to receive S3 notifications

To consume CloudTrail events from the trail’s S3 bucket, Workbench must be notified when new event files are added to the S3 bucket. In this step, we create an SQS queue for these notifications.


The SQS queue must be in the same account and region as the S3 bucket created in Step 1.

  1. Navigate to Simple Queue Service and click Get Started Now if this is the first SQS queue you created, or click Create New Queue if you already have other SQS Queues defined.

  2. Create queue.

    • Details: Queue Name is filled in as ExpelMasterCloudTrailNotify. Select Standard Queue.

    • Configuration:

      • Visibility timeout: 30 Seconds.

      • Message retention period: 7 days.

      • Delivery delay: 0 Seconds.

      • Maximum message size: 256 KB.

      • Receive message wait time: 0 Seconds.

  3. Access policy:

    • Select Advanced, change the Resource and aws:SourceArn sections of the following JSON then copy and paste to the text box.

      Note: Your SQS ARN is populated after you switch to the Advanced tab.

       "Version": "2012-10-17",
       "Id": "__default_policy_ID",
       "Statement": [
       "Sid": "__owner_statement",
       "Effect": "Allow",
       "Principal": {
       "AWS": "*"
       "Action": "SQS:SendMessage",
       "Resource": "<your_sqs_queue_arn>",
       "Condition": {
       "ArnLike": {
       "aws:SourceArn": "<your_S3_bucket_arn>"  
  4. Enable Server Side Encryption and select AWS Key Management Service key (SSE-KMS) for Encryption key type. Type the key alias created in Step 1 and select the key.

  5. Click Create Queue.

Step 4: Add key policies


Adding this key policy is necessary to configure the S3 event notifications in the following step.

To enable trail log bucket to encrypt messages that are being sent to the SQS queue, you need to add key policies.

Navigate to the KMS key created in Step 1.

  1. Click Edit on the Key policy tab.

  2. Copy the following JSON key policy snippet and append it to the end of the existing key policies.

     "Sid": "Allow cloudtrail bucket to encrypt/decrypt SQS",
                "Effect": "Allow",
                "Principal": {
                    "Service": ""
           "Action": [
                "Resource": "*",
                "Condition": {
                    "StringLike": {
                        "aws:SourceArn": "<your_S3_bucket_arn>"
  3. Save the key policy and note the KMS ARN.


Step 5: Configure S3 notifications

  1. Navigate to the S3 bucket containing your CloudTrail logs created in Step 1.

  2. Navigate to Properties.

  3. Select Create event notifications.

  4. General configuration:

    • Event name: ExpelNotifyQueue.

    • Select All object create events under Event Types.

  5. Destination:

    • Select SQS Queue under Destination.

    • Select Choose from your SQS queues and select the queue you created from the list. If you don't see your queue, you can select Enter SQS queue ARN and type the queue ARN in the field.

  6. Save your changes.


Step 6: Create AWS IAM policy

In this step we create a permissions policy to assign to the IAM Role.


If you use AWS organizations, the primary Expel role resides in the organization’s primary account where the CloudTrail, S3, and SQS queue were created for the integration.

The role and policy must be replicated across all the other accounts in the organization to perform AWS investigative actions. The policy in the sub-accounts can be changed to exclude the SQS and S3 resources.

  • Create AWS IAM Policy.

    • Navigate to the IAM service.

    • Go to Policies and click Create Policy.

    • Select the JSON tab and add the following permissions using the JSON tab:

      "Version": "2012-10-17",
      "Statement": [
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
      "Resource": "*"
      "Effect": "Allow",
      "Action": [
      "Resource": "<YOUR_SQS_ARN>"
      "Effect": "Allow",
      "Action": [
      "Resource": "<YOUR_S3_ARN>/*"
      "Effect": "Allow",
      "Action": [
      "Resource": "<YOUR_KMS_KEY_ARN>"


There should be “/*” at the end of your S3 ARN in the Resource section. This allows the role to access all of the sub-folders in your bucket.

Permissions List




Dynamically list all enabled regions for a customer account


Cloud investigative actions and inventory














Enumerate accounts in an org


Remove Processed messages from the queue


Read messages


Download cloudtrail log files


Cloud investigative actions and inventory







Cloud investigative actions and inventory




kms: Decrypt

Decrypt S3 buckets

  • Review and name the policy ExpelAPIPolicy.


Step 7: Create IAM Role

  1. From within the IAM service, navigate to Roles and click Create Role.

  2. Select Another AWS account and fill out the required fields.

    • Account ID: 012205512454 (the Expel AWS account ID).

    • External ID: this unique identifier is assigned to you by Expel. You can find it in your browser URL after navigating to Settings > My Organization in Workbench (see sample screenshot below). You can also find it while completing Step 5: Register AWS in Workbench. Reach out to your engagement manager if you are unable to locate this ID.

  3. Attach the IAM policy from Step 1 to the Role.

  4. Skip Add Tags.

  5. Review: Name the role ExpelServiceRole and create the Role. Important: all accounts roles must have the same name for the integration to work.

  6. Navigate to the role you just created and copy the following information:

    • Role ARN.

    • External ID Value under the Trust relationships tab.

Step 8: Register AWS in Workbench

  1. Login to

  2. Answer the questions, being sure to answer Yes to the second question, and then click Start.

  3. Fill out the following fields:

    • Role ARN: the Role ARN.

    • Role session name: use a unique name to identify the use of the role.

    • Region: the AWS region containing the trail S3 and SQS.

    • SQS URL: Queue URL.


External ID is automatically populated.