1. Add your credentials to /root/.aws/credentials in the following format:
[default]
aws_access_key_id=YOUR_ACCESS_KEY
aws_secret_access_key=YOUR_SECRET_KEY
region=us-east-1
2. Add this stanza to ossec.conf:
<wodle name="aws-s3">
<disabled>no</disabled>
<interval>10m</interval>
<run_on_start>yes</run_on_start>
<skip_on_error>yes</skip_on_error>
<bucket type="cloudtrail">
<name>YOUR_CLOUDTRAIL_S3_BUCKET</name>
<aws_profile>default</aws_profile>
</bucket>
</wodle>
replacing YOUR_ACCESS_KEY/YOUR_SECRET_KEY with the key from amazon
and YOUR_CLOUDTRAIL_S3_BUCKET with the name of the S3 bucket storing the cloudtrail logs
3. The IAM AWS user from step 1 will need access to read that S3 bucket