AWS on the road: CloudTrail in Dubrovnik

CloudTrail

CloudTrail allows you to log and monitor activity in your AWS infrastructure. Actions taken by a user, role, or an AWS service are recorded as events and can be done in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs. Logs can be stored in S3 bucket.

Trails

You can check recent events in events history. Logs are stored there only for 90 days so if you want to store logs for longer time you need to configure a trail. Trail enables functionality of storing events in an S3 bucket. You can use a trail to filter the CloudTrail events you want to be delivered, encrypt event log files and set up SNS notifications for log file delivery. Good practice is to send logs to S3 bucket from other account so if your account get compromised you can still perform forensic analysis.

CloudTrail typically delivers log files within 15 minutes of account activity. In addition, CloudTrail publishes log files multiple times an hour, about every five minutes.

You can create two types of trails:

  • A trail that applies to all regions
  • A trail that applies to one region

There are two types of events that can be logged in CloudTrail:

  • Management events – control plain events related to management operations that are performed on resources, like creating an IAM user. By default CloudTrail logs only those events.
  • Data events – related to resource operations performed on or within a resource, like GetObject and PutObject for S3 bucket.

Log example

CloudTrail creates json files in specified S3 bucket with following naming convention:

AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.json.gz

Lets examine sample log from deleting a group. When you configure CloudTrail to aggregate trail information from multiple Regions in your account into a single S3 bucket, CloudTrail will create folders for each Region. As IAM is not tight to any Region, IAM events are duplicated in the logs – the trail for each Region writes the same IAM event to the aggregated log.

Delete group log example:

{"Records":{
	"eventVersion":"1.02",
	"userIdentity":{
		"type":"Root",
		"principalId":"ID",
		"arn":"arn:aws:iam::ARN:root",
		"accountId":"ID",
		"accessKeyId":"ID",
		"sessionContext":{
			"attributes":{
				"mfaAuthenticated":"true",
				"creationDate":"2018-07-17T12:11:07Z"}},
		"invokedBy":"signin.amazonaws.com"},
	"eventTime":"2018-07-17T12:41:59Z",
	"eventSource":"iam.amazonaws.com",
	"eventName":"DeleteGroup",
	"awsRegion":"us-east-1",
	"sourceIPAddress":"IP",
	"userAgent":"signin.amazonaws.com",
	"requestParameters":{
		"groupName":"testgroup"},
	"responseElements":null,
	"requestID":"ID",
	"eventID":"ID",
	"eventType":"AwsApiCall",
	"recipientAccountId":"ID"}
}

Reference Materials

AWS on the road
AWS CloudTrail documentation

Dubrovnik, Croatia

Comments 1

Leave a Reply