CloudTrail

AWS CloudTrail is service that enables governance, compliance, operations auditing and risk auditing of your AWS account

AWS CloudTrail is used to monitor API calls and Actions made on an AWS account

Easily identify which users and accounts made the call to AWS

• Where Source IP address
• When EventTime
• Who User, UserAgent
• What Region, Resource, Actions

Event History

CloudTrail is already logging by default and will collect logs for last 90 days via Event History

If you need more than 90 days you need to create a Trail

Trails are output to S3 and do not have GUI like Event History. To analyze a Trail you’d have to use Amazon Athena.

Trail Options

A trail can be set to log to all regions

A Trail can set set to across all accounts in an Organization

You can Encrypt your Logs using Server Side Encryption via Key Management Service (SSE-KMS)

We can ensure the Integrity of our logs to see if they have been tampered we need to turn on Log File Validation

CloudTrail to CloudWatch

CloudTrail can be set to deliver events to a CloudWatch log.

Management vs Data Events

Management Events

Tracks management operations. Turned on by default. Can’t be turned off.

• Configuring security eg. IAM Attach RolePolicy APl operations
• Registering devices eg. Amazon EC2 CreateDefaultVpc APl operations)
• Configuring rules for routing data eg. Amazon EC2 CreateSubnet APl operations
• Setting up logging eg. AWS CloudTrail CreateTrail APl operations

Data Events

Tracks specific operations for specific AWS Services. Data events are high volume logging and will result in additional charges. Turned off by default

The two services that can be tracked is $3 and Lambda. So it would track action such as: GetObject, DeleteObject, PutObject

[[CloudTrail]] [[developer]]