Enabling CloudTrail

To enable CloudTrail tracking for object ACL changes, you must enable CloudTrail and configure the setting in Forcepoint ONE SSE.

1. Back on the AWS home, navigate to Services > Management & Governance > CloudTrail > Create trail.
   
   
   
   
   
2. Fill out the fields appropriate to your environment and desired setup.
   1. Provide a name for the trail.
   2. Select the storage location (new or existing bucket).
   3. If new bucket, provide it a name.
   4. Select if you want the file to be encrypted and if so where the encryption key is being managed.
   5. Finally, select additional settings for log file validation and/or SNS notification.
   6. Optional settings are not required but can be configured if desired for cloudwatch and tags. Click Next at the bottom to proceed.
   
   
   
   
   
3. On the Events page, select the type of events you want to track as well as the action trigger (read or write) at the bottom and then click Next to proceed.
   
   
   
4. On the final page, review your configuration and click Create Trail at the bottom.
   
   
   
5. Once you are done, go back to the Forcepoint ONE SSE portal and navigate to Protect > Policies > AWS > Setup API and click on the API policy instance you want to adjust under API Setup section. Down at the bottom, you will see a field for CloudTrail bucket. Insert the CloudTrail bucket name that you just created above (or are using to store your CloudTrail). Forcepoint ONE SSE will now scan the Trail results in the bucket to track changes.