Skip to main content

Prerequisites

  • AWS account with CloudTrail enabled and logs stored in S3
  • Terraform 1.0+ (or OpenTofu)
  • Anyshift API token (generate one from the AWS integration page)

How It Works

The Anyshift Forwarder is a Lambda function that:
  1. Triggers automatically when new CloudTrail logs are written to S3
  2. Parses and processes the CloudTrail events
  3. Forwards the events to Anyshift for analysis and visualization

Installation

Step 1: Store Your API Token

Create a secret in AWS Secrets Manager to store your Anyshift API token: 
aws secretsmanager create-secret \
  --name anyshift-forwarder-token \
  --secret-string "YOUR_API_TOKEN" \
  --region us-east-1
Replace YOUR_API_TOKEN with your token from the AWS integration page.

Step 2: Clone the Terraform Module

git clone https://github.com/anyshift-io/anyshift-forwarder.git
cd anyshift-forwarder

Step 3: Configure Variables

Create a terraform.tfvars file: 
aws_account_id            = "YOUR_AWS_ACCOUNT_ID"
aws_region                = "us-east-1"
cloudtrail_bucket_arn     = "arn:aws:s3:::YOUR_CLOUDTRAIL_BUCKET"
anyshift_token_secret_arn = "arn:aws:secretsmanager:us-east-1:YOUR_ACCOUNT:secret:anyshift-forwarder-token-XXXXXX"

# Use the pre-built Lambda layer for your region (check releases for latest version)
lambda_layer_arn = "arn:aws:lambda:us-east-1:211125758836:layer:anyshift-forwarder:3"

# Optional: If your CloudTrail bucket uses KMS encryption
# kms_key_arn = "arn:aws:kms:us-east-1:YOUR_ACCOUNT:key/YOUR_KEY_ID"

Step 4: Deploy

terraform init
terraform apply

Configuration Options

VariableDescriptionRequired
aws_account_idYour AWS account IDYes
aws_regionAWS region for deploymentYes
cloudtrail_bucket_arnARN of your CloudTrail S3 bucketYes
anyshift_token_secret_arnARN of the Secrets Manager secret containing your API tokenYes
lambda_layer_arnARN of the pre-built Lambda layer for your regionYes
kms_key_arnKMS key ARN if your bucket uses SSE-KMS encryptionNo

Lambda Layer ARN

Use the following ARN format, replacing {REGION} with your AWS region: 
arn:aws:lambda:{REGION}:211125758836:layer:anyshift-forwarder:3
Check the releases page for the latest version. Supported regions: us-east-1, us-east-2, us-west-1, us-west-2, eu-west-1, eu-west-2, eu-west-3, eu-central-1, eu-north-1, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, ca-central-1

Validate Installation

Check that the Lambda function is deployed: 
aws lambda get-function --function-name anyshift-forwarder --region us-east-1
View Lambda logs: 
aws logs tail /aws/lambda/anyshift-forwarder --follow --region us-east-1

Permissions

The Lambda function requires the following permissions:
  • S3: Read access to your CloudTrail bucket
  • Secrets Manager: Read access to the API token secret
  • KMS: Decrypt permission (only if using KMS-encrypted bucket)
  • CloudWatch Logs: Write access for logging
All permissions are automatically configured by the Terraform module.

Upgrade

To upgrade to the latest version: 
cd anyshift-forwarder
git pull origin main
terraform apply
When using Lambda layers, simply update the lambda_layer_arn to the latest version from the releases page.

Uninstall

terraform destroy

Source Code

The Anyshift Forwarder is open source. View the source code, report issues, or contribute:

GitHub Repository

View source code and releases