TrailTool Installation (Alpha)

WARNING: This is alpha software and may have bugs.

Prerequisites

Before installing TrailTool, make sure you have:

AWS CloudTrail enabled - A trail writing logs to S3
IAM Identity Center (AWS SSO) - Your users must authenticate via Identity Center
S3 bucket name - The full name of your CloudTrail S3 bucket (e.g., aws-controltower-logs-123456789012-us-east-1)
Email address - For your TrailTool login

IMPORTANT: You must deploy this CloudFormation stack in the AWS account and region that contains your CloudTrail S3 bucket. You need permissions to create IAM roles, Lambda functions, EventBridge rules, and modify S3 bucket policies.

Installation Steps

Step 1: Enter your information below to generate a CloudFormation console link.

Step 2: Click the generated link - it opens the AWS CloudFormation console with pre-filled parameters.

Step 3: In the CloudFormation console, review the permissions and click "Create Stack".

Step 4: Wait 2-3 minutes for the stack to complete (status will show CREATE_COMPLETE).

Step 5: Check your email inbox for a magic link from TrailTool to log in.

What Gets Installed

The CloudFormation stack (view template) creates the following resources in your AWS account:

1. Custom Lambda Function (BucketPolicyHelperFunction)

A temporary Lambda that runs during stack creation to:

Add a bucket policy statement granting TrailTool (account 468087121425) read access to your CloudTrail S3 bucket
Enable EventBridge notifications on your CloudTrail bucket so we receive real-time events when new logs arrive
Preserves any existing bucket policies and notifications - only adds what's needed

2. EventBridge Rule (CloudTrailEventsRule)

Monitors your CloudTrail S3 bucket for new log files and automatically invokes TrailTool's ingestor Lambda when logs arrive. Pattern matches:

Source: aws.s3
Event type: Object Created
Prefix: AWSLogs/
Suffix: .json.gz

3. IAM Role (EventBridgeInvokeRole)

Allows your EventBridge rule to invoke our Lambda function (arn:aws:lambda:REGION:468087121425:function:trailtool-ingestor) cross-account.

4. Customer Registration (TrailToolRegistration)

A CloudFormation custom resource that registers your account with TrailTool and sends you a magic link email for authentication.

Data flow: Your logs stay in your S3 bucket. When new CloudTrail logs arrive, EventBridge notifies our Lambda which reads and processes them. TrailTool runs in AWS account 468087121425.

Support

Email: info@engseclabs.com

Expect rough edges.