{"id":24605301,"url":"https://github.com/berttejeda/terraform-aws-sentinel","last_synced_at":"2026-02-01T12:42:08.297Z","repository":{"id":277566498,"uuid":"921775539","full_name":"berttejeda/terraform-aws-sentinel","owner":"berttejeda","description":null,"archived":false,"fork":false,"pushed_at":"2025-01-24T15:43:39.000Z","size":351,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-01-12T22:36:58.331Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/berttejeda.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-24T15:40:49.000Z","updated_at":"2025-01-24T15:43:42.000Z","dependencies_parsed_at":"2025-02-14T16:48:47.488Z","dependency_job_id":null,"html_url":"https://github.com/berttejeda/terraform-aws-sentinel","commit_stats":null,"previous_names":["berttejeda/terraform-aws-sentinel"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/berttejeda/terraform-aws-sentinel","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/berttejeda%2Fterraform-aws-sentinel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/berttejeda%2Fterraform-aws-sentinel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/berttejeda%2Fterraform-aws-sentinel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/berttejeda%2Fterraform-aws-sentinel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/berttejeda","download_url":"https://codeload.github.com/berttejeda/terraform-aws-sentinel/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/berttejeda%2Fterraform-aws-sentinel/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28978181,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-01T12:13:08.691Z","status":"ssl_error","status_checked_at":"2026-02-01T12:13:08.356Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-24T16:16:43.658Z","updated_at":"2026-02-01T12:42:08.115Z","avatar_url":"https://github.com/berttejeda.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Microsoft Azure Sentinel AWS Integration\n\nTerraform workspace which creates all resources to connect integrate your AWS account with Microsoft Azure Sentinel.\n\nFeel free to acquaint yourself with the Microsoft Sentinel Documentation\n  - Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data | Microsoft Learn\n    https://learn.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3#add-the-aws-role-and-queue-information-to-the-s3-data-connector\n  - \n\nLastly, this workspace is mostly code copied from:\n\npagopa/terraform-aws-sentinel: Terraform module to send logs to Azure Sentinel\nhttps://github.com/pagopa/terraform-aws-sentinel\n\n# Exampla usage\n\n```shell\n# Make sure you populate your AWS credentials beforehand\ngit clone https://github.com/berttejeda/terraform-aws-sentinel\ncd terraform-aws-sentinel\nterraform init\nterraform plan\nterraform apply\n```\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n# Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.2.0   |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 4.0.0 |\n\n# Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | 5.84.0 |\n\n# Modules\n\nNo modules.\n\n# Resources\n\n| Name | Type |\n|------|------|\n| [aws_cloudtrail.sentinel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource |\n| [aws_cloudwatch_log_group.s3_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |\n| [aws_iam_policy.s3_cloudtrail_cloudwatch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.sentinel_allow_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_policy.sentinel_allow_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_role.s3_cloudtrail_cloudwatch_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role.sentinel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role_policy_attachment.s3_cloudtrail_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.sentinel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_kms_alias.sentinel_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |\n| [aws_kms_key.sentinel_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |\n| [aws_s3_bucket.sentinel_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |\n| [aws_s3_bucket_acl.sentinel_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |\n| [aws_s3_bucket_lifecycle_configuration.sentinel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |\n| [aws_s3_bucket_notification.sentinel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |\n| [aws_s3_bucket_ownership_controls.private_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |\n| [aws_s3_bucket_policy.sentinel_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |\n| [aws_s3_bucket_public_access_block.sentinel_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |\n| [aws_sqs_queue.sentinel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_iam_policy.sentinel](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |\n| [aws_iam_policy_document.cloudtrail_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.sentinel_role_trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_region.region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |\n\n# Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_account_id\"\u003e\u003c/a\u003e [account\\_id](#input\\_account\\_id) | AWS account id | `string` | n/a | yes |\n| \u003ca name=\"input_aws_region\"\u003e\u003c/a\u003e [aws\\_region](#input\\_aws\\_region) | AWS Region | `string` | `\"eu-south-1\"` | no |\n| \u003ca name=\"input_expiration_days\"\u003e\u003c/a\u003e [expiration\\_days](#input\\_expiration\\_days) | The lifetime, in days, of the objects that are subject to the rule. | `number` | `7` | no |\n| \u003ca name=\"input_is_multi_region_trail\"\u003e\u003c/a\u003e [is\\_multi\\_region\\_trail](#input\\_is\\_multi\\_region\\_trail) | Whether the trail is created in the current region or in all regions. | `bool` | `false` | no |\n| \u003ca name=\"input_is_organization_trail\"\u003e\u003c/a\u003e [is\\_organization\\_trail](#input\\_is\\_organization\\_trail) | Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | `bool` | `false` | no |\n| \u003ca name=\"input_log_group_name\"\u003e\u003c/a\u003e [log\\_group\\_name](#input\\_log\\_group\\_name) | Cloudwatch Log Group Name | `string` | n/a | yes |\n| \u003ca name=\"input_log_retention_in_days\"\u003e\u003c/a\u003e [log\\_retention\\_in\\_days](#input\\_log\\_retention\\_in\\_days) | The lifetime, in days, of the cloudwatch log objects that are subject to the rule. | `number` | `14` | no |\n| \u003ca name=\"input_organization_id\"\u003e\u003c/a\u003e [organization\\_id](#input\\_organization\\_id) | AWS organization id: when you integrate Sentinel to the whole organization. is\\_organization\\_trail should be true. | `string` | `null` | no |\n| \u003ca name=\"input_queue_name\"\u003e\u003c/a\u003e [queue\\_name](#input\\_queue\\_name) | SQS queue sentinel gets notification for new logs to read. | `string` | n/a | yes |\n| \u003ca name=\"input_sentinel_bucket_prefix\"\u003e\u003c/a\u003e [sentinel\\_bucket\\_prefix](#input\\_sentinel\\_bucket\\_prefix) | Naming Prefix for bucket where cloud trail logs are stored and consumed by sentinel. | `string` | n/a | yes |\n| \u003ca name=\"input_sentinel_servcie_account_id\"\u003e\u003c/a\u003e [sentinel\\_servcie\\_account\\_id](#input\\_sentinel\\_servcie\\_account\\_id) | Microsoft Sentinel's service account ID for AWS. | `string` | `\"197857026523\"` | no |\n| \u003ca name=\"input_sentinel_workspace_id\"\u003e\u003c/a\u003e [sentinel\\_workspace\\_id](#input\\_sentinel\\_workspace\\_id) | Sentinel workspece id | `string` | `null` | no |\n| \u003ca name=\"input_trail_name\"\u003e\u003c/a\u003e [trail\\_name](#input\\_trail\\_name) | Trail name with events to send to azure sentinel. | `string` | n/a | yes |\n\n# Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_sentinel_queue_url\"\u003e\u003c/a\u003e [sentinel\\_queue\\_url](#output\\_sentinel\\_queue\\_url) | n/a |\n| \u003ca name=\"output_sentinel_role_arn\"\u003e\u003c/a\u003e [sentinel\\_role\\_arn](#output\\_sentinel\\_role\\_arn) | n/a |\n\u003c!-- END_TF_DOCS --\u003e\n\n# Appendix\n\n## Enable Health and Monitoring\n\nAs per: Turn on auditing and health monitoring in Microsoft Sentinel | Microsoft Learn\nhttps://learn.microsoft.com/en-us/azure/sentinel/enable-monitoring?tabs=azure-portal\n\n1. Goto https://portal.azure.com/#home\n2. Search for \"Microsoft Sentinel\"\n3. Click your the workspace containing the desired instance of Sentinel\n4. From the left-hand navigation menu, click \"Settings\"\n5. From the Settings view, click the \"Settings\" tab\n6. Under the \"Audit and health monitoring\" section, click the \"Enable\" button\n7. From the left-hand navigation menu, click \"Logs\"\n8. Close the Queries hub modal popup\n9. Wait 30 minutes\n9. In the query field, enter in the query `SentinelHealth | take 20`\n10. If the results are empty, try waiting an additional 30 minutes to an hour\n\n### Overview Page\n\n![Alt text](assets/images/microsoft_sentinel_overview.png?raw=true \"Micrososft Sentinel Overview\")\n\n### Sample Query\n\nYou can pull up pre-made queries. Simply search for \"AWS\" in this case, and click the query you want to use.\n\n![Alt text](assets/images/microsoft_sentinel_query.png?raw=true \"Micrososft Sentinel Overview\")\n\n## Uninstall Microsoft Azure\n\n1. Goto https://portal.azure.com/#home\n2. Search for \"Microsoft Sentinel\"\n3. Click your the workspace containing the desired instance of Sentinel\n4. From the left-hand navigation menu, click \"Settings\"\n5. From the Settings view, click the \"Settings\" tab\n6. Under the \"Remove Microsoft Sentinel\" section, click the \"Remove Microsoft Sentinel from your workspace\" button\n\n## Troubleshooting the Azure AWS Connector\n\nTroubleshoot AWS S3 connector issues - Microsoft Sentinel | Microsoft Learn\nhttps://learn.microsoft.com/en-us/azure/sentinel/aws-s3-troubleshoot","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fberttejeda%2Fterraform-aws-sentinel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fberttejeda%2Fterraform-aws-sentinel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fberttejeda%2Fterraform-aws-sentinel/lists"}