AWS CloudTrail is an essential tool for troubleshooting operational issues and investigating security incidents. CloudTrail provides detailed information about the API activity in your AWS account, including who made an API call, from where, and which resources they acted on.
This webinar will help you understand the features of CloudTrail and how to use them to gain maximum visibility into your AWS resources.
Learning Objectives:
Learn how to receive email notifications for specific API activity
Learn how to troubleshoot operational and security incidents in your AWS account
Learn how to turn on CloudTrail and receive a history of log files to an S3 bucket you specify
4. CloudTrail - Overview
Customers are
making API
calls...
On a growing set
of services around
the world…
CloudTrail is
continuously
recording API
calls…
And delivering
log files to
customers
5. Use cases enabled by CloudTrail
• Security Analysis
Use log files as an input into log management and analysis solutions to perform security
analysis and to detect user behavior patterns
• Track Changes to AWS Resources
Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances,
Amazon VPC security groups and Amazon EBS volumes.
• Troubleshoot Operational Issues
Quickly identify the most recent changes made to resources in your environment
• Compliance Aid
Easier to demonstrate compliance with internal policies and regulatory standards
Security at Scale: Logging in AWS White Paper
6. What’s in a CloudTrail event?
Who made the API call?
When was the API call made?
What was the API call?
What were the resources that were acted up on in the API call?
Where was the API call made from?
CloudTrail event reference
7. CloudTrail Availability and more
• Available in all AWS regions. This includes US GovCloud and Beijing, China regions
• Supports 42 AWS services
• Records API activity made using SDKs, CLI or the AWS console
• Typically, delivers log files containing events to your S3 bucket in less than 10 minutes
• Aggregate log files from multiple accounts into a single S3 bucket.
More on aggregating Log files across accounts and regions
8. Setting up S3 bucket policy for aggregation
• Partial S3 bucket policy
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/myAccountID/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
• If you have 3 accounts, add three lines that correspond to those three accounts to the bucket policy
"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/111111111111/*",
"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/222222222222/*",
"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/333333333333/*"
13. CloudTrail Lookup Events Feature
• Troubleshoot Operational and Security issues related to your AWS account
• Look up CloudTrail events related to creation, deletion and modification of AWS
resources
• Look up events for the last 7 days
• Filter events using one of the six different filters
• Time range
• User name
• Resource name
• Resource type
• Event name
• Event ID
15. Demo: Look up CloudTrail events in the console
AWS CloudTrail Console Home
16. Look up events using the AWS CLI
• List all events for the last 7 days
aws cloudtrail lookup-events --output json
• List all events where user name is root
aws cloudtrail lookup-events --lookup-attributes
AttributeKey=Username, AttributeValue=root --
output=json
• List all events where the Resource type is EC2 Instance
aws cloudtrail lookup-events --lookup-attributes
AttributeKey=ResourceType,AttributeValue=AWS::EC2::Inst
ance --output=json
18. Receive email notifications of specific API activity
Why?
• Monitor for any patterns in the CloudTrail events
• You want to take immediate action when specific events occur
What do you need to do?
• Configure CloudTrail events to be delivered to CloudWatch Logs
• Configure CloudWatch Alarms for specific events or API activity
19. Which events should I monitor for?
• Monitor security and network related events
Examples:
1. Creation, deletion and modification of security groups and VPC’s
2. Changes to IAM policies
3. Failed console Sign-in events
4. API calls that resulted in authorization failures
• Monitor events related to specific resources or resource types
Examples
1. Launching, terminating, stopping, starting and rebooting EC2 Instances
2. Creating 4X or 8X large EC2 Instances
20. Configuring CloudWatch Alarms for CloudTrail events
• To get started, use the CloudFormation template that has 10 different
pre-defined alarms, includes the examples in the previous slide
• CloudFormation template is available via CloudTrail documentation page
• Create 10 CloudWatch alarms to monitor API activity related to network
and security events in less than 5 minutes
• Receive email notifications when those events occur in your AWS
account