AWS July Webinar Series - Troubleshooting Operational and Security Issues in Your AWS Account using CloudTrail
•Télécharger en tant que PPTX, PDF•
11 j'aime•5,673 vues
AWS CloudTrail is an essential tool for troubleshooting operational issues and investigating security incidents. CloudTrail provides detailed information about the API activity in your AWS account, including who made an API call, from where, and which resources they acted on. This webinar will help you understand the features of CloudTrail and how to use them to gain maximum visibility into your AWS resources. Learning Objectives: Learn how to receive email notifications for specific API activity Learn how to troubleshoot operational and security incidents in your AWS account Learn how to turn on CloudTrail and receive a history of log files to an S3 bucket you specify
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à AWS July Webinar Series - Troubleshooting Operational and Security Issues in Your AWS Account using CloudTrail
Similaire à AWS July Webinar Series - Troubleshooting Operational and Security Issues in Your AWS Account using CloudTrail (20)
Plus de Amazon Web Services
Plus de Amazon Web Services (20)
Dernier
Dernier (20)
AWS July Webinar Series - Troubleshooting Operational and Security Issues in Your AWS Account using CloudTrail
- 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sivakanth Mundru, AWS CloudTrail 07-29-2015 Deep Dive: Troubleshooting Operational and Security issues in your AWS Account using CloudTrail
- 2. Agenda CloudTrail Overview Getting Started CloudTrail Lookup Receive email notifications of specific API activity Partner solutions integrated with CloudTrail Q & A
- 4. CloudTrail - Overview Customers are making API calls... On a growing set of services around the world… CloudTrail is continuously recording API calls… And delivering log files to customers
- 5. Use cases enabled by CloudTrail • Security Analysis Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns • Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes. • Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment • Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards Security at Scale: Logging in AWS White Paper
- 6. What’s in a CloudTrail event? Who made the API call? When was the API call made? What was the API call? What were the resources that were acted up on in the API call? Where was the API call made from? CloudTrail event reference
- 7. CloudTrail Availability and more • Available in all AWS regions. This includes US GovCloud and Beijing, China regions • Supports 42 AWS services • Records API activity made using SDKs, CLI or the AWS console • Typically, delivers log files containing events to your S3 bucket in less than 10 minutes • Aggregate log files from multiple accounts into a single S3 bucket. More on aggregating Log files across accounts and regions
- 8. Setting up S3 bucket policy for aggregation • Partial S3 bucket policy "Action": "s3:PutObject", "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/myAccountID/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } • If you have 3 accounts, add three lines that correspond to those three accounts to the bucket policy "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/111111111111/*", "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/222222222222/*", "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/333333333333/*"
- 10. Turn on CloudTrail using AWS CloudTrail Console AWS CloudTrail Console Home
- 11. Turn on CloudTrail in all regions using AWS CLI # Create trails and start logging in all AWS standard regions with the AWS CLI and Linux. CLOUDTRAIL_S3_BUCKET=“yourbucket" PROFILE="timbuktu" REGION_FOR_GLOBAL_EVENTS="us-east-1" regionlist=($(aws ec2 describe-regions --query Regions[*].RegionName --output text)) for region in ${regionlist[@]} do if [ $region = $REGION_FOR_GLOBAL_EVENTS ] then aws --profile $PROFILE --region $region cloudtrail create-trail --name $region --s3-bucket-name $CLOUDTRAIL_S3_BUCKET --include-global-service- events --output table aws --profile $PROFILE --region $region cloudtrail start-logging --name $region --output table else aws --profile $PROFILE --region $region cloudtrail create-trail --name $region --s3-bucket-name $CLOUDTRAIL_S3_BUCKET --no-include-global-servi ce-events --output table aws --profile $PROFILE --region $region cloudtrail start-logging --name $region --output table fi done
- 13. CloudTrail Lookup Events Feature • Troubleshoot Operational and Security issues related to your AWS account • Look up CloudTrail events related to creation, deletion and modification of AWS resources • Look up events for the last 7 days • Filter events using one of the six different filters • Time range • User name • Resource name • Resource type • Event name • Event ID
- 14. CloudTrail Lookup Events Feature
- 15. Demo: Look up CloudTrail events in the console AWS CloudTrail Console Home
- 16. Look up events using the AWS CLI • List all events for the last 7 days aws cloudtrail lookup-events --output json • List all events where user name is root aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username, AttributeValue=root -- output=json • List all events where the Resource type is EC2 Instance aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::EC2::Inst ance --output=json
- 17. Receive email notifications of specific API activity
- 18. Receive email notifications of specific API activity Why? • Monitor for any patterns in the CloudTrail events • You want to take immediate action when specific events occur What do you need to do? • Configure CloudTrail events to be delivered to CloudWatch Logs • Configure CloudWatch Alarms for specific events or API activity
- 19. Which events should I monitor for? • Monitor security and network related events Examples: 1. Creation, deletion and modification of security groups and VPC’s 2. Changes to IAM policies 3. Failed console Sign-in events 4. API calls that resulted in authorization failures • Monitor events related to specific resources or resource types Examples 1. Launching, terminating, stopping, starting and rebooting EC2 Instances 2. Creating 4X or 8X large EC2 Instances
- 20. Configuring CloudWatch Alarms for CloudTrail events • To get started, use the CloudFormation template that has 10 different pre-defined alarms, includes the examples in the previous slide • CloudFormation template is available via CloudTrail documentation page • Create 10 CloudWatch alarms to monitor API activity related to network and security events in less than 5 minutes • Receive email notifications when those events occur in your AWS account
- 21. Demo: CloudTrail Integration with CloudWatch
- 22. How does the email notification look like?
- 23. Partner Solutions Integrated with CloudTrail
- 24. AWS Technology Partner solutions integrated with CloudTrail
- 25. AWS Consulting Partner solutions integrated with CloudTrail
- 26. Thank you! Questions and Answers