|
| 1 | +--- |
| 2 | +title: AWS CloudTrail Updates (Apps) |
| 3 | +image: https://help.sumologic.com/img/sumo-square.png |
| 4 | +keywords: |
| 5 | + - apps |
| 6 | + - aws-cloudtrail |
| 7 | +hide_table_of_contents: true |
| 8 | +--- |
| 9 | + |
| 10 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 11 | + |
| 12 | +AWS is streamlining [CloudTrail](https://aws.amazon.com/cloudtrail/) events for [IAM Identity Center](https://aws.amazon.com/iam/identity-center/) to retain only the essential fields needed for audit and incident response workflows. These changes improve user identification and integration with directories like Okta and Microsoft Active Directory, and do not impact CloudTrail events from other AWS services. |
| 13 | + |
| 14 | +To support this update, Sumo Logic has revised several AWS apps and Cloud SIEM parsers. If you use CloudTrail data in saved searches, dashboards, or detection rules, you may need to reinstall affected apps or update custom content before AWS enforces the changes on July 14, 2025. |
| 15 | + |
| 16 | +To learn more, see [Important changes to CloudTrail events for AWS IAM Identity Center](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/). |
| 17 | + |
| 18 | +### Impact following the AWS CloudTrail updates |
| 19 | + |
| 20 | +AWS is updating CloudTrail events for IAM Identity Center, affecting how user identity data is structured. So, if you are using the updated fields in your Cloud SIEM content or across the Sumo Logic platform, you need to update any saved queries, dashboards, or detection rules to reflect these changes and ensure continued functionality. |
| 21 | + |
| 22 | +Key actions required while updating the AWS CloudTrail include: |
| 23 | +- Sumo Logic provided apps must be manually reinstalled to incorporate the updated event field mappings. |
| 24 | +- Cloud SIEM parsers have auto-updated and require no customer intervention. |
| 25 | + |
| 26 | +### Action plan for Sumo Logic users |
| 27 | + |
| 28 | +#### Step 1: Reinstall the relevant Sumo Logic apps |
| 29 | + |
| 30 | +If you're using any of the following apps that consume CloudTrail data, you must reinstall them: |
| 31 | +- [Amazon CloudTrail – Cloud Security Monitoring and Analytics](/docs/integrations/cloud-security-monitoring-analytics/aws-cloudtrail/) |
| 32 | +- [AWS CloudTrail](/docs/integrations/amazon-aws/cloudtrail/) |
| 33 | +- [CIS AWS Foundations Benchmark](/docs/integrations/amazon-aws/cis-aws-foundations-benchmark/) |
| 34 | +- [PCI Compliance for AWS CloudTrail](/docs/integrations/amazon-aws/cloudtrail-pci-compliance/) |
| 35 | +- [Threat Intel for AWS](/docs/integrations/amazon-aws/threat-intel/) |
| 36 | +- [Cloud Infrastructure Security for AWS](/docs/security/additional-security-features/cloud-infrastructure-security/cloud-infrastructure-security-for-aws/) |
| 37 | + |
| 38 | +To reinstall any of the above apps, follow the steps below: |
| 39 | + |
| 40 | +1. Navigate to the **App Catalog**. |
| 41 | +1. Search for the relevant app. |
| 42 | +1. Install to deploy updated content under a new folder. |
| 43 | + |
| 44 | +:::info |
| 45 | +These are Classic apps (V1), and reinstalling them will create a new folder in your Content Library with updated dashboards. |
| 46 | +::: |
| 47 | + |
| 48 | +#### Step 2: Update the custom saved searches and dashboards |
| 49 | + |
| 50 | +If you’ve created custom content based on CloudTrail fields, manual field updates as given below will be required to accommodate the new schema: |
| 51 | +- Move the `userName` field from the `userIdentity` element to the `additionalEventData` element. |
| 52 | +- Remove the `principalId` field from the schema. |
| 53 | +- Move the `userId`, `identityStoreArn`, and `credentialId` fields to the `userIdentity` element. |
| 54 | + |
| 55 | +For more information on field changes, see [AWS Security Blog](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/#:~:text=How%20to%20prepare%20your%20workflows%20for%20the%20upcoming%20changes%20to%20IAM%20Identity%20Center%20user%20identification%20in%20CloudTrail). |
| 56 | + |
| 57 | +:::note |
| 58 | +AWS plans to implement these enhancements on [July 14, 2025](https://aws.amazon.com/blogs/security/modifications-to-aws-cloudtrail-event-data-of-iam-identity-center/#:~:text=Effective%20July%2014%2C%202025). |
| 59 | + |
| 60 | +Sumo Logic apps are backward-compatible, allowing you to update the apps ahead of time. For any custom content outside of Sumo Logic’s apps or parsers, ensure your changes are backward compatible and deploy updates before July 14, 2025. |
| 61 | +::: |
| 62 | + |
| 63 | +### FAQ |
| 64 | + |
| 65 | +#### What happens if I don’t update my applications or searches? |
| 66 | + |
| 67 | +Failure to update your apps, saved searches, or dashboards will result in user-related fields not being parsed correctly. Consequently, visualizations and panels relying on those fields will appear empty or display inaccurate data. |
0 commit comments