Check the credentials part in the access method definition, what exactly is being used, and make sure to use the SQS Queue URL without: https://.

For example:

sqs.us-west-2.amazonaws.com/xxxxx/fortisiem-s3-test

Access Method Definition example:

Verification from FortiSIEM : 

The device is added under CMDB → Devices check:

• Device Type: Amazon AWS CloudTrail.
• Status: Approved.
• Event Status: Normal.

It can also be checked under the Monitor tab:

• Metric: AWS_CLOUDTRAIL.
• Last Successful: (shows timestamp).
• Status: Normal.

Once permissions and credentials are validated, the following success message is seen in the FortiSIEM logs:

2025-11-03T09:43:18.357687+02:00 fsm740 phAgentManager[1086205]:
[PH_JOB_STAT]:[eventSeverity]=PHL_INFO,[procName]=phAgentManager,
[fileName]=phJobExecuteStatus.cpp,[lineNumber]=235,[jobId]=6939401,
[jobType]=2,[jobDetail]=Success,[hostIpAddr]=98.87.170.71,[hostName]=amazon.com,
[jobName]=Cloudtrail-Test,[jobDesc]=AWS Cloudtrail Pull,[jobStatus]=0,[pollIntv]=120,
[eventTime]=1761291703,[phLogDetail]=

Common error messages :

• 'Invalid Credential or Timeout': IAM User/Role lacks permissions to read S3 or SQS. Check the JSON file of the role or user.
• 'Found 2 errors while validating the input provided for the GetObject operation':
  Make sure CloudTrail is publishing event notification directly to the SNS topic and not via the S3 service. There should be no integration between S3 and SNS/SQS. The following is the expected message format in the SQS queue.

{
"Type" : "Notification",
"MessageId" : "658da72b-684e-5965-bc3a-f123456005a",
"TopicArn" : "arn:aws:sns:us-east-1:111111:testCloudTrail",
"Message" : "{\"s3Bucket\":\"testS3Bucket\",\"s3ObjectKey\":

[\"AWSLogs/111111/CloudTrail/us-west-2/2022/05/27/111111_CloudTrail_us-west-2_20220527T1540Z_

ILkwe2zAtDS.json.gz\"]}",
"Timestamp" : "2022-05-27T16:35:35.746Z",
"SignatureVersion" : "1",
"Signature" : "hS79T2w30bfMRBIUt3qJ8D0v4fAq912345I7IHzTulkme+iEjg+mWgiQV3cikFXSAwzfYVUMGwpXx+

Qr7m16uW5SRIkMRb05L/

5ioNrhm+DcRwjsmAEUm3ZzIFrFMaFeSy0hGD/vJEcPmvcs3ExVbz1NL1ZQcBU3LHMkrnwKKi6xFubkJWAj8nPZPUPFio7

iqEHWUGHdvjqDVPkX+M7Kpwshze5q2cF6W7oPeXsUjTaV+iqFxlxi7P7TZRXsRw502wVSUYl8uVSsMKB3JdEkAJaEm3Ro/

wcwxl8gbuWGwrFYwrXQoipJqv4xtrAp1ebIk/wcfMJur3mfJQ8A==",
"SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-7ff5318522adbaddaa2a969abfda.pem ",
"UnsubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1:dwfewefa12323:testCloudTrail:2947799d-3c02-4863-8cd6-36123523fd1 "
}

To resolve these types of errors, run all tests from the same host, like FortiSIEM Collector for the CloudTrail job, using the same credentials and region configured in the Access Method. Check each thing one by one, have to replace xxxxxxx with the actual account, and it must have AWS CLI configured:

Test SQS Receive:

Check if the SQS queue is accessible and messages are available (it returns messages or an empty list):

aws sqs receive-message --queue-url https://sqs.us-west-2.amazonaws.com/xxxxxxx/fortisiem-s3-test  --region us-west

Expected Output:

{
"Messages": [
{
"MessageId": "79266a25-5f17-4a16-9e54-d969403d3f16",
"ReceiptHandle": "AQEB1o8V+1xMRnBCO7sRS9z1hvCW2px4...",
"MD5OfBody": "99bee604feface6af10045a9268586ae"
}
]
}

List CloudTrail Objects from S3:

Ensure FortiSIEM has permission to list S3 objects for the CloudTrail logs.

aws s3 ls s3://shub9335test/AWSLogs/xxxxxxx/CloudTrail/ --recursive --region us-west-2

Expected Output:

2025-11-03 08:42:28 34069 AWSLogs/xxxxxxx/CloudTrail/us-west-2/2025/11/03/xxxxxxx_CloudTrail_us-west-2_20250926T0315Z_GFRHmLmFiWsQabhf.json.gz
2025-11-03 08:47:39 4843 AWSLogs/xxxxxxx/CloudTrail/us-west-2/2025/11/03/xxxxxxx_CloudTrail_us-west-2_20250926T0315Z_aBmaQ4TfD7fgJ1mr.json.gz

Download a CloudTrail Object (replace key from the ls output above s3 command):

To verify read access to the CloudTrail object:

aws s3api get-object --bucket shub9335test --key "AWSLogs/xxxxxxx/CloudTrail/us-west-2/2025/11/03/xxxxxxx_CloudTrail_us-west-2_20250926T0315Z_GFRHmLmFiWsQabhf.json.gz" --region us-west-2

Expected Output:

{
"AcceptRanges": "bytes",
"LastModified": "2025-11-03T19:22:23+00:00",
"ContentLength": 2906,
"ETag": "\"e3999f55a8ef941d6477420cdf8bd101\""
}

If all AWS CLI tests succeed, verify from the FortiSIEM host directly using the internal PHP test script:

/opt/phoenix/bin/aws-phgetobjkeys.php 'ACCESS_KEY_ID' 'SECRET_ACCESS_KEY' us-west 'https://sqs.us-west-2.amazonaws.com/xxxxxxx/fortisiem-s3-test '

Expected Output:

2025-11-03T10:34:50.022Z::AWSLogs/810801871376/CloudTrail/us-west-2/2025/10/17/xxxxxxx_CloudTrail_us-west-2_20251017T1035Z_mNQYEytGZTegVqBN.json.gz
2025-11-03T10:34:54.786Z::AWSLogs/810801871376/CloudTrail/us-west-2/2025/11/03/xxxxxxx_CloudTrail_us-west-2_20251017T1035Z_sovtR8kiHOPkQ10i.json.gz

This confirms that FortiSIEM is able to pull CloudTrail log objects successfully.

Related document:
CloudTrail Permission and IAM user