> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ayliea.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS CloudTrail Integration

> Discover AI model usage across your AWS environment by connecting CloudTrail to Ayliea.

## Overview

The AWS CloudTrail integration automatically discovers AI model usage in your AWS environment by monitoring CloudTrail events for Amazon Bedrock API calls. This gives your security team visibility into which AI models are being used, by whom, and how frequently.

## What Data Is Collected

Ayliea reads **API call metadata only** from CloudTrail:

* **Model IDs** — which Bedrock models are invoked (e.g., `anthropic.claude-3-sonnet`)
* **User identities** — IAM users or roles making the calls
* **Timestamps** — when calls occurred
* **Event names** — the API action (e.g., `InvokeModel`)
* **Region** — which AWS region the call was made in

<Warning>
  Ayliea **never** reads prompt content, model responses, or any payload data. Only event metadata from CloudTrail is accessed.
</Warning>

## Prerequisites

* An AWS account with Amazon Bedrock enabled
* Permission to create IAM users and policies
* An Ayliea organization on the Business plan or higher

## Setup Steps

### 1. Create an IAM Policy

In the AWS Console, navigate to **IAM > Policies > Create Policy** and paste this JSON:

```json theme={null}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "cloudtrail:LookupEvents",
      "Resource": "*"
    }
  ]
}
```

Name the policy something descriptive like `AylieaCloudTrailReadOnly`.

<Note>
  This policy grants **read-only** access to CloudTrail events. It cannot modify any AWS resources.
</Note>

### 2. Create an IAM User

1. Go to **IAM > Users > Create User**
2. Name the user (e.g., `ayliea-cloudtrail-reader`)
3. Do **not** enable console access
4. Attach the `AylieaCloudTrailReadOnly` policy you created

### 3. Generate Access Keys

1. Open the new user's detail page
2. Go to **Security credentials > Access keys > Create access key**
3. Select **Third-party service** as the use case
4. Copy the **Access Key ID** and **Secret Access Key**

<Warning>
  The secret access key is only shown once. Store it securely until you've entered it in Ayliea.
</Warning>

### 4. Connect in Ayliea

1. Go to **Organization > Cloud Integrations**
2. Click **Connect** on the AWS CloudTrail card
3. Enter your Access Key ID, Secret Access Key, and Region
4. Click **Test Connection** to validate
5. Click **Connect** to save

## Polling Schedule

Once connected, Ayliea polls CloudTrail **daily at 7:00 AM UTC**. Each poll covers the time since the last successful poll. The first poll covers the previous 24 hours.

## Troubleshooting

### "Invalid credentials or insufficient permissions"

* Verify the Access Key ID and Secret Access Key are correct
* Confirm the IAM user has the `AylieaCloudTrailReadOnly` policy attached
* Check that CloudTrail is enabled in the specified region

### "Failed to connect to AWS CloudTrail"

* Verify the region is correct (e.g., `us-east-1`, not `US East`)
* Check that your AWS account doesn't have restrictive SCPs blocking CloudTrail access

### No platforms discovered after connecting

* Confirm that Amazon Bedrock is being used in the specified region
* CloudTrail events may take up to 15 minutes to appear
* The first poll covers only the last 24 hours — wait for the next daily poll

## Security Considerations

* Credentials are encrypted with AES-256-GCM before storage
* The IAM policy grants **read-only** access to CloudTrail events only
* Ayliea never accesses S3 buckets, Lambda functions, or any other AWS services
* You can revoke access at any time by deleting the IAM user or disconnecting in Ayliea
