CloudTrail is an AWS service that records API calls made in an AWS account and delivers log files to enable security monitoring and compliance. It provides visibility into who accessed AWS resources, when they accessed them, and from where. Cloudlytics is a service that allows users to analyze CloudTrail logs to generate security and compliance reports. The document discusses enabling CloudTrail, configuring Cloudlytics to access CloudTrail logs, and using Cloudlytics to analyze the logs and generate various audit reports.

2.  Need of Audit Trail
 Introduction to CloudTrail
 How to Enable CloudTrail in your AWS Account
 Analyzing CloudTrail using Cloudlytics
Manage Security & Compliance of your AWS Account using CloudTrail

3. Manage Security & Compliance of your AWS Account using CloudTrail

4. The average cost of a
data breach in 2014 was
$3.5 Million.
– Ponemon Institute
On an average,
companies are attacked
16,856 times
a year, and many of
those attacks result in a
quantifiable data
breach.
– IBM Security Services
“In the average attack, you get
90%of the data you want
in like nine hours, and yet most
of the companies don't find out
for three to four months.”
– John Chambers, CEO (CISCO)
Manage Security & Compliance of your AWS Account using CloudTrail

5. Manage Security & Compliance of your AWS Account using CloudTrail

6. “There is no data center or network in the
world that hasn't been hacked. If you
watched the number of attacks, they're
going up exponentially this year (2015),
this year's going to be
much worse than last
year.”
- John Chambers, CEO (CISCO)
Manage Security & Compliance of your AWS Account using CloudTrail

7. Manage Security & Compliance of your AWS Account using CloudTrail

8. 92% of data breaches can be
described by just nine distinct
patterns.
—Verizon, (2014 Data Breach Investigations Report)
43% of C-level executives
say negligent insiders are the
greatest threat to sensitive data.
— IBM Services
Manage Security & Compliance of your AWS Account using CloudTrail

9. Manage Security & Compliance of your AWS Account using CloudTrail

10. An Audit Trail is a security-relevant
chronological record, set of records, and/or
destination and source of records that provide
documentary evidence of the sequence of
activities that have affected at any time a
specific operation, procedure, or event. Audit
records typically result from activities such as
financial transactions, scientific research and
health care data transactions, for
communications by individual people, systems,
accounts, or other entities.
Manage Security & Compliance of your AWS Account using CloudTrail

11. Ensure
Security
Maintain
Individual
Accountability
Recreate
Events
Detect
Intrusions
Analyze
Errors
Manage Security & Compliance of your AWS Account using CloudTrail

12. AWS & Audit Trails
Manage Security & Compliance of your AWS Account using CloudTrail

13. AWS CloudTrail is a web service that records AWS
API callsfor your account and delivers log files to
you. The recorded information includes the identity of
the API caller, the time of the API call, the source IP
address of the API caller, the request parameters,
and the response elements returned by the AWS
service.
CloudTrail
Manage Security & Compliance of your AWS Account using CloudTrail

14. Manage Security & Compliance of your AWS Account using CloudTrail
Tokyo
Sydney
Singapore
Frankfurt Ireland Sao Paulo
Northern
Virginia
GovCloud
Northern
California
Oregon

15. Manage Security & Compliance of your AWS Account using CloudTrail
Administration & Security
• AWS IAM
• AWS CloudWatch
• AWS Key Management Service
• AWS Security Token
• AWS CloudHSM
• AWS Config
Analytics
• Amazon EMR
• Amazon Kinesis
• AWS Data Pipeline
Application Services
• Amazon SQS
• Amazon SWS
• Amazon Elastic Transcoder
• Amazon CloudSearch
Deployment & Management
• AWS Elastic Beanstalk
• AWS OpsWorks
• AWS CloudFormation
• AWS CodeDeploy
Database
• Amazon RDS
• Amazon ElastiCache
• Amazon Redshift
Compute
• Amazon EC2
• Auto Scaling
• ELB
Enterprise Applications
• Amazon WorkDocs
Mobile Services
• Amazon SNS
Networking
• Amazon VPC
Storage & Content Delivery
• AWS Storage Gateway
• Amazon Glacier
• Amazon CloudFront
• Amazon Elastic Block Storage (EBS)

16. Manage Security & Compliance of your AWS Account using CloudTrail
 Successful requests to AWS Services
 Time of Request
 User Identity
 Access Keys being Used
 Request Response

17. (Examples)
Manage Security & Compliance of your AWS Account using CloudTrail

18. AWS Identity and Access Management is a web
service that enables AWS customers to manage users
and user permissions in AWS.
Manage Security & Compliance of your AWS Account using CloudTrail

19. Amazon Elastic Compute Cloud (Amazon EC2)
provides resizable compute capacity in the cloud. It is
designed to make web-scale cloud computing easier
for developers and allow them to obtain and configure
capacity with minimal issues.
Manage Security & Compliance of your AWS Account using CloudTrail

20. Manage Security & Compliance of your AWS Account using CloudTrail
{
"Records": [{
"eventVersion": "1.0",
"userIdentity": {
"type": "IAMUser",
"principalId":
"EX_PRINCIPAL_ID",
"arn":
"arn:aws:iam::123456789012:user/
Alice",
"accountId":
"123456789012",
"accessKeyId":
"EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-03-
06T21:01:59Z",
"eventSource":
"ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "us-west-2",
"sourceIPAddress":
"205.251.233.176",
"userAgent": "ec2-api-tools
1.6.12.2",
"requestParameters": {
"instancesSet": {
"items": [{
"instanceId": "i-
ebeaf9e2"
}]
},
"force": false
},
"responseElements": {
"instancesSet": {
"items": [{
"instanceId": "i-
ebeaf9e2",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
}] } } },

21.  Who initiated an Action?
 Time of the Action?
 What Action was taken?
 Where was the Action performed?
Manage Security & Compliance of your AWS Account using CloudTrail

22. Manage Security & Compliance of your AWS Account using CloudTrail
HIPAA Section 164.312(1)(b) - Audit controls
(required), which states organizations must “Implement
hardware, software, & procedural mechanisms that record &
examine activity in information systems that contain or use
electronic protected health information.”
PCI DSS - Requires user logon and log off events to
be recorded as part of the "follow the user requirement".

23. Overview
Report
Manage Security & Compliance of your AWS Account using CloudTrail
User Audit
Report
EC2 Activity
Report
Custom
Report

24. Manage Security & Compliance of your AWS Account using CloudTrail
Top 5 Users
Top 5 Services
Top 5 IP Addresses
Top 5 Access Keys
Unauthorized
Accesses
Location

25. Manage Security & Compliance of your AWS Account using CloudTrail
List of Instances
Instance Related
Activities
User Access Patterns Errors

26. Manage Security & Compliance of your AWS Account using CloudTrail

27. Manage Security & Compliance of your AWS Account using CloudTrail
List of Users User Related Activities
User Access Patterns Geographic Locations
Access Keys Used

28. Manage Security & Compliance of your AWS Account using CloudTrail

29. Manage Security & Compliance of your AWS Account using CloudTrail
Generate your
own Report
Define a Query
Generate Report

30.  Create a New User from the IAM Console
 Set the User Policy
 Grant access of the logs containing S3 bucket to
Cloudlytics
Manage Security & Compliance of your AWS Account using CloudTrail

31.  Register with Cloudlytics
 Configure CloudTrail
Manage Security & Compliance of your AWS Account using CloudTrail
Start Analyzing AWS Logs