# Deploy via CloudFormation ## Deployment via CloudFormation Template The CloudFormation template automates the following: * Creates an AWS IAM role that grants Vectra access to the customer’s AWS account, CloudTrail logs, and S3 bucket. * Creates an SNS topic and policy. * Allows the specification of a KMS Key and grants permission for decryption to Vectra. * This is optional but is required for customers who are using KMS encryption on their CloudTrail logs. ## Creating a CDR for AWS Connection **Step 1** * To create the CDR for AWS Connection, in the Vectra UI, navigate to *Configuration → Data Sources → AWS CloudTrail* and click the **Get Started** button. ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/7MSKj0aDdZOqFTg38UTy/CDR_for_AWS_Deployment_Guide-2025_Jun_27-13.png) **Step 2** * Give your connection name. * Click “Create and Continue”. ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/5zNZjkGGfrKWNpUG9FiH/CDR_for_AWS_Deployment_Guide-2025_Jun_27-14.png) **Step 3** * Please ensure that you are logged into the AWS account that you will deploying into. * In your Vectra UI, select the region containing your S3 bucket - **Region where your AWS data resides**. * The CloudFormation script needs to run in the same region that contains your CloudTrail log bucket. * Please see [CloudTrail Log S3 Bucket Location and Region](https://docs.vectra.ai/deployment/cdr-for-aws/appendix-1-aws-configuration-notes#cloudtrail-log-s3-bucket-location-and-region) in [Appendix 1](https://docs.vectra.ai/deployment/cdr-for-aws/deployment/appendix-1-aws-configuration-notes) for details. * Click on the **Run this CloudFormation script to connect your S3 bucket in \** link. * An admin for your AWS account will be needed to execute this script. * If you are not authorized to run this script yourself, copy the link and supply it to a user who can. * After successfully running the script, you will return here to complete and authorize the configuration. ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/UzlhJMqIWaOzyp31AyFA/CDR_for_AWS_Deployment_Guide-2025_Jun_27-10.png) ### CloudFormation Template Configuration **Step 1** You will be brought to CloudFormation on the **Stack Details** page with some information already filled in. ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/KQM0eCdsn8iR3nw6MBAL/CDR_for_AWS_Deployment_Guide-2025_Jun_27-11.png) **Fill in the rest of the information required on this page:** **CloudTrailS3BucketName** * This is the only field that is required. * **CloudTrailS3BucketName** – The S3 bucket that contains the CloudTrail logs. The other fields are: **Stack name** – Name for the AWS Stack. * A default is provided, but this can be changed as desired within the syntax limitations of AWS. **ExternalId** – A unique identifier for you as a customer in Vectra. * This is created automatically for you by Vectra and should not be changed. **KMSKey** – (Optional). * If you use KMS to encrypt your CloudTrail logs, enter the ARN of the KMS key here. * Leave empty if your CloudTrail logs are unencrypted. * See [KMS Encrypted S3 Bucket Support](https://docs.vectra.ai/deployment/cdr-for-aws/appendix-1-aws-configuration-notes#kms-encrypted-s3-bucket-support) in [Appendix 1](https://docs.vectra.ai/deployment/cdr-for-aws/deployment/appendix-1-aws-configuration-notes) support for more details **SNSTopicForS3Events** – (Optional). * If you already have an SNS Topic configured for your S3 bucket, simply enter its ARN here. * The SNS topic needs to be deployed in the same region as the S3 bucket that contains your CloudTrail logs. * If you do not already have an SNS Topic configured, the CloudFormation script will create one for you if you leave this empty. **VectraAccountId** – Vectra’s AWS account ID (provided by CF template). * We will assume the role to pull the log data from this account. * Do not change this value. **VectraIAMRoleName** - The name of the role which we will create in your Account to access CloudTrail Logs. * A default name is provided but you can change this name if you wish. * Click the checkbox acknowledging that AWS CloudFormation might create IAM resources with custom names. * Click **Create stack**. **Step 3** * After the stack creation is complete, navigate to the **Outputs** tab of the stack and make note of the **CloudTrail S3 Bucket Name**, **SNS Topic for S3 Events ARN**, and **Vectra IAM Role ARN**. * These will be needed in the **Completing the Deployment in the Vectra UI** section below. * Specifically, Vectra needs the items in the **Value** column to be copied exactly as displayed. ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/qB9FQpepIKAYUHFZBCfu/CDR_for_AWS_Deployment_Guide-2025_Jun_27-9.png) ### Completing the Deployment in the Vectra UI * After CloudFormation has completed the Stack, enter the output information you just gathered into the CDR for AWS UI and click **Authorize**. ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/FohtOOnZxVRGTlT19k2x/CDR_for_AWS_Deployment_Guide-2025_Jun_27-8.png) ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/7I4UInAjR8VyJKRPdhNN/CDR_for_AWS_Deployment_Guide-2025_Jun_27-1.png) {% hint style="success" %} After entering the information and clicking **Authorize**, you have completed the configuration. The deployed Connection will be in a **Authorization in Progress** state until Vectra’s cloud is successfully retrieving logs. **Please Note:** After the data source connector for AWS CloudTrail has been fully configured, it can take several hours to a day for all AWS related detections to be able to fire and for enrichment (attribution to a specific source account at the bottom of a role chain) to be available for any detections that fire as a result of the new connector. This is because the data source connector might have been activated after the role chain was started and therefore Vectra might not have the full role chain in its forwarded data. {% endhint %}