The azure-native:securityinsights:AwsCloudTrailDataConnector resource, part of the Pulumi Azure Native provider, registers an AWS CloudTrail data connector within a Microsoft Sentinel workspace, establishing the link between AWS audit logs and Azure security monitoring. This guide focuses on one capability: connector registration in Sentinel workspaces.
The connector requires an existing Log Analytics workspace, resource group, and AWS-side configuration (IAM role with CloudTrailReadOnly policy, CloudTrail setup). The example is intentionally minimal. Extend it with awsRoleArn and dataTypes properties for complete AWS integration.
Register an AWS CloudTrail connector in a Sentinel workspace
Security teams integrate AWS CloudTrail logs into Microsoft Sentinel to correlate cloud infrastructure events with other security signals.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const awsCloudTrailDataConnector = new azure_native.securityinsights.AwsCloudTrailDataConnector("awsCloudTrailDataConnector", {
dataConnectorId: "c345bf40-8509-4ed2-b947-50cb773aaf04",
resourceGroupName: "myRg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
aws_cloud_trail_data_connector = azure_native.securityinsights.AwsCloudTrailDataConnector("awsCloudTrailDataConnector",
data_connector_id="c345bf40-8509-4ed2-b947-50cb773aaf04",
resource_group_name="myRg",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewAwsCloudTrailDataConnector(ctx, "awsCloudTrailDataConnector", &securityinsights.AwsCloudTrailDataConnectorArgs{
DataConnectorId: pulumi.String("c345bf40-8509-4ed2-b947-50cb773aaf04"),
ResourceGroupName: pulumi.String("myRg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var awsCloudTrailDataConnector = new AzureNative.SecurityInsights.AwsCloudTrailDataConnector("awsCloudTrailDataConnector", new()
{
DataConnectorId = "c345bf40-8509-4ed2-b947-50cb773aaf04",
ResourceGroupName = "myRg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.AwsCloudTrailDataConnector;
import com.pulumi.azurenative.securityinsights.AwsCloudTrailDataConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var awsCloudTrailDataConnector = new AwsCloudTrailDataConnector("awsCloudTrailDataConnector", AwsCloudTrailDataConnectorArgs.builder()
.dataConnectorId("c345bf40-8509-4ed2-b947-50cb773aaf04")
.resourceGroupName("myRg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
awsCloudTrailDataConnector:
type: azure-native:securityinsights:AwsCloudTrailDataConnector
properties:
dataConnectorId: c345bf40-8509-4ed2-b947-50cb773aaf04
resourceGroupName: myRg
workspaceName: myWorkspace
The dataConnectorId provides a unique identifier for this connector instance. The resourceGroupName and workspaceName target the Log Analytics workspace where CloudTrail events will flow. This minimal configuration registers the connector; you must separately configure the AWS IAM role (awsRoleArn property) and specify which log types to ingest (dataTypes property).
Beyond these examples
This snippet focuses on connector registration in Sentinel workspaces. It’s intentionally minimal rather than a complete AWS-to-Azure integration.
The example requires pre-existing infrastructure such as a Log Analytics workspace, Azure resource group, and AWS IAM role with CloudTrailReadOnly policy (configured outside Pulumi). It demonstrates connector registration without covering the full AWS setup.
To keep things focused, common connector patterns are omitted, including:
- AWS role ARN configuration (awsRoleArn)
- Data type filtering (dataTypes)
- Connector state management and updates
- Cross-account AWS access setup
These omissions are intentional: the goal is to illustrate how the connector resource is wired, not provide drop-in AWS integration modules. See the AwsCloudTrailDataConnector resource reference for all available configuration options.
Let's configure Azure AWS CloudTrail Data Connector
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
awsRoleArn must have the CloudTrailReadOnly policy attached to access your AWS account.kind to AmazonWebServicesCloudTrail (this is the only accepted value for this connector type).Resource Management
dataConnectorId, resourceGroupName, and workspaceName. You’ll need to recreate the connector to change any of these.dataConnectorId, resourceGroupName, workspaceName).