To assist with debugging Event activity occurring in AWS accounts, Aqua Wave CSPM supports live-tailing the CloudTrail event log. This feature is only accessible in the UI and is not designed for long-running access; instead it is designed to provide insight into activity occurring over a 5-10 minute timeframe.


TABLE OF CONTENTS


CloudTrail Live Tail Access

The Live Tail feature works by calling the "lookupEvents" API call for CloudTrail, returning the list of most recent events. For this to work, the IAM role associated with CSPM must allow the "cloudtrail:lookupEvents" permission.


Tailing Logs

To use the Live Tail feature, follow the below steps:

  1. Log into the Aqua Wave console and navigate to the "Tools" > "CloudTrail Tail" page
  2. Select a connected cloud account from the drop-down list
  3. Click "Begin Log Tail"
  4. You can click any row to expand the full event details.


It may take 10-15 seconds for events to begin appearing. Once they do, the table will be updated every 10-15 seconds until you leave the page or select a new account to tail.