To assist with debugging Event activity occurring in AWS accounts, Aqua CSPM supports live-tailing the CloudTrail event log. This feature is only accessible in the UI and is not designed for long-running access; instead, it is designed to provide insight into activity occurring over a 5-10 minute timeframe.


CloudTrail Live Tail Access

The Live Tail feature works by calling the "lookupEvents" API call for CloudTrail, returning the list of most recent events. For this to work, the IAM role associated with CSPM must allow the "cloudtrail:lookupEvents" permission.

Tailing Logs

To use the Live Tail feature, follow the below steps:

  1. Log into the Aqua Platform and navigate to the Tools > CloudTrail Tail page.
  2. Select a connected cloud account from the drop-down list.
  3. Click Begin Log Tail.
  4. You can click any row to expand the full event details.

It may take 10-15 seconds for events to begin appearing. Once they do, the table will be updated every 10-15 seconds until you leave the page or select a new account to tail.