Configure Azure AWS CloudTrail Data Connector

The azure-native:securityinsights:AwsCloudTrailDataConnector resource, part of the Pulumi Azure Native provider, registers an AWS CloudTrail data connector within an Azure Sentinel workspace, establishing the link between AWS audit logs and Sentinel’s threat detection. This guide focuses on one capability: connector registration in Sentinel workspaces.

The connector references an existing Sentinel workspace and assumes AWS CloudTrail and IAM roles are configured separately. The example is intentionally minimal. Extend it with AWS role ARN configuration and data type filtering for complete integration.

Register an AWS CloudTrail connector in a Sentinel workspace

Security teams integrate AWS CloudTrail logs into Azure Sentinel to correlate cloud activity across AWS and Azure environments.

import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const awsCloudTrailDataConnector = new azure_native.securityinsights.AwsCloudTrailDataConnector("awsCloudTrailDataConnector", {
    dataConnectorId: "c345bf40-8509-4ed2-b947-50cb773aaf04",
    resourceGroupName: "myRg",
    workspaceName: "myWorkspace",
});

import pulumi
import pulumi_azure_native as azure_native

aws_cloud_trail_data_connector = azure_native.securityinsights.AwsCloudTrailDataConnector("awsCloudTrailDataConnector",
    data_connector_id="c345bf40-8509-4ed2-b947-50cb773aaf04",
    resource_group_name="myRg",
    workspace_name="myWorkspace")

package main

import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewAwsCloudTrailDataConnector(ctx, "awsCloudTrailDataConnector", &securityinsights.AwsCloudTrailDataConnectorArgs{
			DataConnectorId:   pulumi.String("c345bf40-8509-4ed2-b947-50cb773aaf04"),
			ResourceGroupName: pulumi.String("myRg"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var awsCloudTrailDataConnector = new AzureNative.SecurityInsights.AwsCloudTrailDataConnector("awsCloudTrailDataConnector", new()
    {
        DataConnectorId = "c345bf40-8509-4ed2-b947-50cb773aaf04",
        ResourceGroupName = "myRg",
        WorkspaceName = "myWorkspace",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.AwsCloudTrailDataConnector;
import com.pulumi.azurenative.securityinsights.AwsCloudTrailDataConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var awsCloudTrailDataConnector = new AwsCloudTrailDataConnector("awsCloudTrailDataConnector", AwsCloudTrailDataConnectorArgs.builder()
            .dataConnectorId("c345bf40-8509-4ed2-b947-50cb773aaf04")
            .resourceGroupName("myRg")
            .workspaceName("myWorkspace")
            .build());

    }
}

resources:
  awsCloudTrailDataConnector:
    type: azure-native:securityinsights:AwsCloudTrailDataConnector
    properties:
      dataConnectorId: c345bf40-8509-4ed2-b947-50cb773aaf04
      resourceGroupName: myRg
      workspaceName: myWorkspace

The dataConnectorId provides a unique identifier for this connector instance. The resourceGroupName and workspaceName target the Sentinel workspace where CloudTrail events will flow. This minimal configuration establishes the connector registration; AWS role ARN and data type filtering are configured through additional properties not shown here.

Beyond these examples

This snippet focuses on data connector registration. It’s intentionally minimal rather than a full cross-cloud integration.

The example references pre-existing infrastructure such as Azure Sentinel workspace, Azure resource group, and AWS CloudTrail configuration and IAM role (referenced but not created). It focuses on connector registration rather than provisioning the surrounding infrastructure.

To keep things focused, common connector patterns are omitted, including:

  • AWS role ARN configuration (awsRoleArn)
  • Data type filtering (dataTypes)
  • Connector state management and updates
  • Cross-account AWS access setup

These omissions are intentional: the goal is to illustrate how the connector registration is wired, not provide drop-in security integration modules. See the AwsCloudTrailDataConnector resource reference for all available configuration options.

Let's configure Azure AWS CloudTrail Data Connector

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Configuration & Setup
What are the minimum required properties to create an AWS CloudTrail data connector?
You must provide dataConnectorId, resourceGroupName, workspaceName, dataTypes, and kind. The kind property must be set to AmazonWebServicesCloudTrail.
What IAM policy does my AWS role need for the data connector?
The AWS role specified in awsRoleArn must have the CloudTrailReadOnly policy to access your AWS account.
What value should I use for the kind property?
Set kind to AmazonWebServicesCloudTrail. This is the expected value for AWS CloudTrail data connectors.
Resource Management
What properties can't be changed after creating the data connector?
The dataConnectorId, resourceGroupName, and workspaceName properties are immutable. Changing any of these requires replacing the resource.
What API version does this resource use?
This resource uses Azure REST API version 2024-09-01. In version 2.x of the Azure Native provider, it used API version 2023-02-01.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides GCP Guides