Skip to main content

Overview

The AWS CloudTrail integration automatically discovers AI model usage in your AWS environment by monitoring CloudTrail events for Amazon Bedrock API calls. This gives your security team visibility into which AI models are being used, by whom, and how frequently.

What Data Is Collected

Ayliea reads API call metadata only from CloudTrail:
  • Model IDs — which Bedrock models are invoked (e.g., anthropic.claude-3-sonnet)
  • User identities — IAM users or roles making the calls
  • Timestamps — when calls occurred
  • Event names — the API action (e.g., InvokeModel)
  • Region — which AWS region the call was made in
Ayliea never reads prompt content, model responses, or any payload data. Only event metadata from CloudTrail is accessed.

Prerequisites

  • An AWS account with Amazon Bedrock enabled
  • Permission to create IAM users and policies
  • An Ayliea organization on the Business plan or higher

Setup Steps

1. Create an IAM Policy

In the AWS Console, navigate to IAM > Policies > Create Policy and paste this JSON: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "cloudtrail:LookupEvents",
      "Resource": "*"
    }
  ]
}
Name the policy something descriptive like AylieaCloudTrailReadOnly.
This policy grants read-only access to CloudTrail events. It cannot modify any AWS resources.

2. Create an IAM User

  1. Go to IAM > Users > Create User
  2. Name the user (e.g., ayliea-cloudtrail-reader)
  3. Do not enable console access
  4. Attach the AylieaCloudTrailReadOnly policy you created

3. Generate Access Keys

  1. Open the new user’s detail page
  2. Go to Security credentials > Access keys > Create access key
  3. Select Third-party service as the use case
  4. Copy the Access Key ID and Secret Access Key
The secret access key is only shown once. Store it securely until you’ve entered it in Ayliea.

4. Connect in Ayliea

  1. Go to Organization > Cloud Integrations
  2. Click Connect on the AWS CloudTrail card
  3. Enter your Access Key ID, Secret Access Key, and Region
  4. Click Test Connection to validate
  5. Click Connect to save

Polling Schedule

Once connected, Ayliea polls CloudTrail daily at 7:00 AM UTC. Each poll covers the time since the last successful poll. The first poll covers the previous 24 hours.

Troubleshooting

”Invalid credentials or insufficient permissions”

  • Verify the Access Key ID and Secret Access Key are correct
  • Confirm the IAM user has the AylieaCloudTrailReadOnly policy attached
  • Check that CloudTrail is enabled in the specified region

”Failed to connect to AWS CloudTrail”

  • Verify the region is correct (e.g., us-east-1, not US East)
  • Check that your AWS account doesn’t have restrictive SCPs blocking CloudTrail access

No platforms discovered after connecting

  • Confirm that Amazon Bedrock is being used in the specified region
  • CloudTrail events may take up to 15 minutes to appear
  • The first poll covers only the last 24 hours — wait for the next daily poll

Security Considerations

  • Credentials are encrypted with AES-256-GCM before storage
  • The IAM policy grants read-only access to CloudTrail events only
  • Ayliea never accesses S3 buckets, Lambda functions, or any other AWS services
  • You can revoke access at any time by deleting the IAM user or disconnecting in Ayliea