> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anyshift.io/llms.txt
> Use this file to discover all available pages before exploring further.

# CloudTrail Integration

> Forward AWS CloudTrail logs to Annie to enrich your infrastructure knowledge graph with API activity and changes.

## Prerequisites

* AWS account with CloudTrail enabled and logs stored in S3
* Terraform 1.0+ (or OpenTofu)
* Anyshift API token (generate one from the [AWS integration page](https://app.anyshift.io/integrations/aws))

## How It Works

The Anyshift Forwarder is a Lambda function that:

1. Triggers automatically when new CloudTrail logs are written to S3
2. Parses and processes the CloudTrail events
3. Forwards the events to Anyshift for analysis and visualization

## Installation

### Step 1: Store Your API Token

Create a secret in AWS Secrets Manager to store your Anyshift API token:

```bash theme={null}
aws secretsmanager create-secret \
  --name anyshift-forwarder-token \
  --secret-string "YOUR_API_TOKEN" \
  --region us-east-1
```

Replace `YOUR_API_TOKEN` with your token from the [AWS integration page](https://app.anyshift.io/integrations/aws).

### Step 2: Clone the Terraform Module

```bash theme={null}
git clone https://github.com/anyshift-io/anyshift-forwarder.git
cd anyshift-forwarder
```

### Step 3: Configure Variables

Create a `terraform.tfvars` file:

```hcl theme={null}
aws_account_id            = "YOUR_AWS_ACCOUNT_ID"
aws_region                = "us-east-1"
cloudtrail_bucket_arn     = "arn:aws:s3:::YOUR_CLOUDTRAIL_BUCKET"
anyshift_token_secret_arn = "arn:aws:secretsmanager:us-east-1:YOUR_ACCOUNT:secret:anyshift-forwarder-token-XXXXXX"

# Use the pre-built Lambda layer for your region (check releases for latest version)
lambda_layer_arn = "arn:aws:lambda:us-east-1:211125758836:layer:anyshift-forwarder:3"

# Optional: If your CloudTrail bucket uses KMS encryption
# kms_key_arn = "arn:aws:kms:us-east-1:YOUR_ACCOUNT:key/YOUR_KEY_ID"
```

### Step 4: Deploy

```bash theme={null}
terraform init
terraform apply
```

## Configuration Options

| Variable                    | Description                                                 | Required |
| --------------------------- | ----------------------------------------------------------- | -------- |
| `aws_account_id`            | Your AWS account ID                                         | Yes      |
| `aws_region`                | AWS region for deployment                                   | Yes      |
| `cloudtrail_bucket_arn`     | ARN of your CloudTrail S3 bucket                            | Yes      |
| `anyshift_token_secret_arn` | ARN of the Secrets Manager secret containing your API token | Yes      |
| `lambda_layer_arn`          | ARN of the pre-built Lambda layer for your region           | Yes      |
| `kms_key_arn`               | KMS key ARN if your bucket uses SSE-KMS encryption          | No       |

## Lambda Layer ARN

Use the following ARN format, replacing `{REGION}` with your AWS region:

```
arn:aws:lambda:{REGION}:211125758836:layer:anyshift-forwarder:3
```

Check the [releases page](https://github.com/anyshift-io/anyshift-forwarder/releases) for the latest version.

Supported regions: `us-east-1`, `us-east-2`, `us-west-1`, `us-west-2`, `eu-west-1`, `eu-west-2`, `eu-west-3`, `eu-central-1`, `eu-north-1`, `ap-northeast-1`, `ap-northeast-2`, `ap-southeast-1`, `ap-southeast-2`, `ap-south-1`, `sa-east-1`, `ca-central-1`

## Validate Installation

Check that the Lambda function is deployed:

```bash theme={null}
aws lambda get-function --function-name anyshift-forwarder --region us-east-1
```

View Lambda logs:

```bash theme={null}
aws logs tail /aws/lambda/anyshift-forwarder --follow --region us-east-1
```

## Permissions

The Lambda function requires the following permissions:

* **S3**: Read access to your CloudTrail bucket
* **Secrets Manager**: Read access to the API token secret
* **KMS**: Decrypt permission (only if using KMS-encrypted bucket)
* **CloudWatch Logs**: Write access for logging

All permissions are automatically configured by the Terraform module.

## Upgrade

To upgrade to the latest version:

```bash theme={null}
cd anyshift-forwarder
git pull origin main
terraform apply
```

When using Lambda layers, simply update the `lambda_layer_arn` to the latest version from the [releases page](https://github.com/anyshift-io/anyshift-forwarder/releases).

## Uninstall

```bash theme={null}
terraform destroy
```

## Source Code

The Anyshift Forwarder is open source. View the source code, report issues, or contribute:

<Card title="GitHub Repository" icon="github" href="https://github.com/anyshift-io/anyshift-forwarder">
  View source code and releases
</Card>