As an MSP and Huntress reseller, we've heard this question from clients and prospects alike: "We love what Huntress SIEM does for endpoint and syslog visibility, but what about our AWS environment?" It's a fair question, but it hasn't had a clear answer yet. Huntress has a SIEM integration for AWS on their roadmap, but we don't yet know a release timeframe . For organizations that need cloud infrastructure monitoring today , we've got a solution!
We've published a complete, open-source GitHub repository with everything you need to forward AWS CloudTrail logs into Huntress SIEM. The repo includes detailed setup instructions, infrastructure configuration guidance, and working code examples covering the full pipeline: CloudTrail -> S3 -> Lambda -> Huntress.
- Step-by-step configuration for AWS CloudTrail, S3 buckets, and Lambda functions
- Ready-to-deploy code that transforms and forwards CloudTrail events to the Huntress SIEM log ingestion endpoint
- IAM policy examples so you can follow least-privilege principles from the start
- Troubleshooting guidance for common deployment issues
The architecture is straightforward:
- CloudTrail writes log files to an S3 bucket
- An S3 event notification triggers a Lambda function whenever new logs arrive
- The Lambda function reads, decompresses, and parses the CloudTrail records, then forwards them to Huntress SIEM via their log ingestion API
It's serverless, cost-efficient, and requires no additional infrastructure to maintain.
If you're running workloads in AWS, CloudTrail is one of the most important data sources you have. It records every API call made across your AWS environment: who did what, when they did it, and from where. Console logins, IAM changes, security group modifications, resource creation and deletion, and more.
Without forwarding that data into your SIEM, you're flying blind on an entire attack surface. An attacker who compromises AWS credentials can create backdoor IAM users, exfiltrate data from S3, spin up crypto-mining instances, or disable logging entirely and none of that activity would appear in Huntress SIEM without an integration like this one.
By deploying this solution, you gain the ability to correlate AWS cloud activity alongside your endpoint and identity telemetry in a single pane of glass. That's the promise of SIEM, and your cloud infrastructure shouldn't be left out of it!
If you've been evaluating Huntress SIEM but held off because you weren't sure it could cover your AWS footprint, consider this your green light. The platform itself is excellent - purpose-built for with managed detection, sensible pricing, and a team that actually understands the channel. This repository gives you a fully functional bridge that you can deploy in less than an hour. We've tested this in production across multiple AWS account and have been very happy with the results!
The repository is publicly available on GitHub. Clone it, follow the README, and you can have CloudTrail logs landing in Huntress SIEM before you know it.
If you're not yet using Huntress and want to get started, we'd be thrilled to give you a demo and a no-obligation quote. Reach out today to get started!
