# Appendix 2 - Manual AWS Deployment

## Creating a CDR for AWS Connection

**Step 1**

* To create the CDR for AWS Connection, in the Vectra UI, navigate to *Data Sources > AWS CloudTrail* and click the **Get Started** button.

![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/7MSKj0aDdZOqFTg38UTy/CDR_for_AWS_Deployment_Guide-2025_Jun_27-13.png)

**Step 2**

* Give your connection name.
* Click **Create and Continue**.

![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/5zNZjkGGfrKWNpUG9FiH/CDR_for_AWS_Deployment_Guide-2025_Jun_27-14.png)

## Manual AWS Configuration

![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/Zv1DIsJcwKezk00FEGUx/CDR_for_AWS_Deployment_Guide-2025_Jun_27-4.png)

**Step 1**

* Click the dropdown **Create roles manually**.
* Make note of **Vectra’s AWS Account ID** and **External ID** that has been provided for you.
  * You will need these to create a working AWS IAM role.
* You are currently reading the **CDR for AWS Deployment Guide** (formerly known as Detect for AWS) that is mentioned below the Account ID.

**Step 2**

In this step we will be creating an AWS Simple Notification Service (SNS) topic that Vectra can subscribe to. An existing topic can be re-used if one already exists. This must be in the same region as the S3 bucket that contains the CloudTrail logs.

* Navigate to the SNS service in AWS.
* Select **Topics**.
* Click **Create Topic** and fill in the following information:
  * Select the **Standard** type.
  * Give it a name.
  * Ensure that encryption is disabled (this is the default).
  * Open the Access Policy section and select the **Advanced** type.
  * Remove any sample policy and paste in the below, JSON formatted, SNS Topic Policy.
  * Click **Create topic**.
* Make note of the ARN in your newly created topic so that it can be provided during setup.

P→lease note that Vectra will automatically subscribe this SNS topic to your CloudTrail S3 bucket when you complete the deployment in the Vectra UI, so you do not need to perform that action manually.

{% hint style="info" %}
**Please Note:**

Example policies below are also available to download as [attachments to this article](https://docs.vectra.ai/deployment/cdr-for-aws/deployment).
{% endhint %}

**SNS Topic Access Policy for Step 2**

```
{
  "Version": "2012-10-17",
  "Id": "SNSPolicyDocument",
  "Statement": [
    {
      "Sid": "allowS3ToPublish",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "sns:Publish",
      "Resource": "*"
    }
  ]
} 
```

**Step 3**

* Create an AWS IAM role (using the External ID provided) for Vectra to use for the CDR for AWS service.
* Make note of the ARN for the role so that it can be provided during setup.
  * The ARN for the role can be found in *AWS IAM → Roles → The role you created for Vectra → Role ARN.*

**Required Role Permissions for Step 3:**

* Account information in IAM
  * `iam:ListAccountAliases`
  * `iam:ListUsers`
  * `iam:ListRoles`
* CloudTrail log S3 bucket permissions
  * `s3:GetObject`
  * `s3:GetBucketNotification`
  * `s3:ListBucket`
  * `s3:PutBucketNotification`
* SNS Topic information
  * `sns:Subscribe`
  * `sns:Unsubscribe`
* CloudTrail information
  * `cloudtrail:GetTrail`
  * `cloudtrail:ListTrails`
  * `cloudtrail:GetTrailStatus`
  * `cloudtrail:DescribeTrials`
* KMS decryption permissions exclusively for the KMS key encrypting
  * `kms:Decrypt`

**Sample IAM Role Policy for Step 3**:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-west-2:AWSACCOUNT:key/UUID",
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListRoles",
                "cloudtrail:GetTrail",
                "cloudtrail:ListTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:DescribeTrails",
                "sns:Unsubscribe"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetBucketNotification",
                "s3:ListBucket",
                "s3:PutBucketNotification"
            ],
            "Resource": [
                "arn:aws:s3:::aws-cloudtrail-logs-example",
                "arn:aws:s3:::aws-cloudtrail-logs-example/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sns:Subscribe"
            ],
            "Resource": "arn:aws:sns:us-west-2:AWSACCOUNT:vectraStack-SnsTopic-ARN",
            "Effect": "Allow"
        }
    ]
}
```

## Completing the Deployment in the Vectra UI

After creation of IAM roles and SNS Topic either via CloudFormation template or manually, the following information will need to be entered into the Vectra UI to complete the deployment:

* SNS topic ARN
* ARN for the role
* S3 Bucket

![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/Kl49XQBq8fwYim8lGLDl/CDR_for_AWS_Deployment_Guide-2025_Jun_27-5.png)

![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/1uWnhCiuQlKsy81It6k2/CDR_for_AWS_Deployment_Guide-2025_Jun_27-3.png)

{% hint style="success" %}
After entering the information and clicking **Authorize**, you have completed the configuration. The deployed Connection will be in a **Authorization in Progress** state until Vectra’s cloud is successfully retrieving logs.
{% endhint %}