AWS CloudTrail

AWS CloudTrail

AWS CloudTrail is an AWS service that enables customers governance, compliance, and operational and risk auditing of their AWS account. it is also records activity made on customers account and delivers log files to their Amazon S3 bucket if they have one. Using CloudTrail, customers can log, continuously monitor, and retain account activity related to actions across their AWS infrastructure.

  • AWS CloudTrail provides event history of customers AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. 
  • AWS CloudTrail detect unusual activity in customers AWS accounts, that help to simplify operational analysis and troubleshooting.
  • Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
  • AWS CloudTrail can be integrated to applications using the API automate trail creation for customers business or organization.

AWS CloudTrail Features

AWS CloudTrail provides visibility into user activity by recording actions taken on customers account. CloudTrail records important information about each action, including who made the request, the services used, the actions performed, parameters for the actions, and the response elements returned by the AWS service.

  • This information helps AWS customers to track changes made to their AWS resources and to troubleshoot operational issues. CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards. 
  • AWS CloudTrail shows the results of the CloudTrail Event History for the current region customers are viewing for the last 90 days. These events are limited to with create, modify, and delete API calls and account activity.
  • For a complete record of account activity, including all management events, data events, and read-only activity, customers need to configure a CloudTrail trail.

Using AWS CloudTrail log file integrity validation AWS customers can determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.

  • Customers can use the AWS CLI to validate the files in the location where CloudTrail delivered them.
  • A validated log file enables customers to assert positively that the log file itself has not changed, or that particular user credentials performed specific API activity.

Server-side encryption is the encryption of data at its destination by the application or service that receives it. AWS Key Management Service (AWS KMS) is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Amazon S3 uses AWS KMS customer master keys (CMKs) to encrypt customers Amazon S3 objects. AWS KMS encrypts only the object data and here are what customers can do with it:

  • Create and manage the CMK encryption keys yourself.
  • Use a single CMK to encrypt and decrypt log files for multiple accounts across all regions.
  • Customers ave control over who can use their key for encrypting and decrypting CloudTrail log files. 
  • Have enhanced security. With this feature, in order to read log files, the following permissions are required:
    • A user must have S3 read permissions for the bucket that contains the log files.
    • A user must also have a policy or role applied that allows decrypt permissions by the CMK policy.
  • Because S3 automatically decrypts the log files for requests from users authorized to use the CMK, SSE-KMS encryption for CloudTrail log files is backward-compatible with applications that read CloudTrail log data.

A trail can be applied to all Regions or a single Region. As a best practice, create a trail that applies to all Regions in the AWS partition in which you are working. This is the default setting when you create a trail in the CloudTrail console. A trail that applies to all AWS Regions has the following advantages:

  • The configuration settings for the trail apply consistently across all AWS Regions.
  • Receive CloudTrail events from all AWS Regions in a single Amazon S3 bucket and, optionally, in a CloudWatch Logs log group.
  • Manage trail configuration for all AWS Regions from one location.
  • Receive events from a new AWS Region. When a new AWS Region is launched, CloudTrail automatically creates a copy of all of the Region trails.
  • Any activity in any AWS Region is logged in a trail that applies to all AWS Regions.

Data events provide insights into the resource (“data plane”) operations performed on or within the resource itself. Data events are often high volume activities and include operations such as Amazon S3 object level APIs and AWS Lambda function invoke APIs. 

  • By logging on API actions Amazon S3 objects, customers can receive detailed information such as the AWS account, IAM user role, and IP address of the caller, time of the API call, and other details. 
  • They can record activity of their Lambda functions, and receive details on Lambda function executions, such as the IAM user or service that made the Invoke API call, when the call was made, and which function was executed.

AWS Lambda:- Amazon S3 bucket notification publish object-created events to AWS Lambda. When CloudTrail writes logs to your S3 bucket, Amazon S3 can invoke customers Lambda function to process the access records logged by CloudTrail.

Amazon CloudWatch Logs:- AWS CloudTrail integration with Amazon CloudWatch Logs enables customers to send management and data events recorded by CloudTrail to CloudWatch Logs.

  • CloudWatch Logs allows customers to create metric filters to monitor events, search events, and stream events to other AWS services, such as AWS Lambda and Amazon Elasticsearch Service.

Amazon CloudWatch Events:- AWS CloudTrail integration with Amazon CloudWatch Events, that enables customers to automatically respond to changes to their AWS resources.

  • With CloudWatch Events, you are able to define actions to execute when specific events are logged by AWS CloudTrail.
  • Customers can create a CloudWatch Events rule that sends this activity to an AWS Lambda function. Lambda can then execute a workflow to create a ticket in their IT Helpdesk system.

CloudTrail Integrations

CloudTrail integration with CloudWatch Logs delivers management and data events captured by CloudTrail to a CloudWatch Logs log stream in the CloudWatch Logs log group you specify.

Using AWS Athena Service can achieve: 

  • Using Athena with CloudTrail logs is a powerful way to enhance customers analysis of AWS service activity. Customers can use queries to identify trends and further isolate activity by attribute, such as source IP address or user.
  • customers can automatically create tables for querying logs directly from the AWS CloudTrail console, and use those tables to run queries in Athena.

Amazon CloudWatch Logs:- Customers can configure CloudTrail with CloudWatch Logs to monitor their trail logs and be notified when specific activity occurs.

  • AWS clients can define CloudWatch Logs metric filters that will trigger CloudWatch alarms and send notifications to you when those alarms are triggered.

Customers can create a trail in the master account for an organization that collects all event data for all AWS accounts in an organization in AWS Organizationsm known as an organization trail.

  • Creating an organization trail helps customers define a uniform event logging strategy for their organization.
  • An organization trail is applied automatically to each AWS account in customers organization.
  • Users in member accounts can see these trails but cannot modify them.

AWS CloudTrail Concepts

An event in CloudTrail is the record of an activity in an AWS account. This activity can be an action taken by a user, role, or service that is monitorable by AWS CloudTrail. AWS CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. There are two types of events that can be logged in CloudTrail: management events and data events. By default, trails log management events, but not data events.

Management Events

Management events provide information about management operations that are performed on resources in the customer AWS account. These are also known as control plane operations

  • Configuring security (for example, IAM AttachRolePolicy API operations).
  • Registering devices (for example, Amazon EC2 CreateDefaultVpc API operations).
  • Configuring rules for routing data (for example, Amazon EC2 CreateSubnet API operations).
  • Setting up logging (for example, AWS CloudTrail CreateTrail API operations).

Management events can also include non-API events that occur in customers account. 

Organizations Trail

An organization trail is a configuration that enables delivery of CloudTrail events in the master account and all member accounts in an organization to the same Amazon S3 bucket, CloudWatch Logs, and CloudWatch Events. Creating an organization trail helps customers define a uniform event logging strategy for their business or organization.

  • Users with AWS CloudTrail permissions in member accounts will be able to see this trail (including the trail ARN) when they log into the AWS CloudTrail console from their AWS accounts, or when they run AWS CLI commands such as describe-trails (although member accounts must use the ARN for the organization trail, and not the name, when using the AWS CLI).
  • When customers create an organization trail in the console, or enable CloudTrail as a trusted service in the Organizations, it creates a service-linked role to perform logging tasks in their organization’s member accounts, which is referred as AWSServiceRoleForCloudTrail

Global Service Events

For most services, events are recorded in the region where the action occurred. For global services such as AWS Identity and Access Management (IAM), AWS STS, and Amazon CloudFront, events are delivered to any trail that includes global services, and are logged as occurring in US East (N. Virginia) Region. To avoid receiving duplicate global service events, remember the following:

  • Global service events are delivered by default to trails that are created using the CloudTrail console. Events are delivered to the bucket for the trail.
  • If AWS customers have multiple single region trails, consider configuring their trails so that global service events are delivered in only one of the trails. 
  • If customers change the configuration of a trail from logging all regions to logging a single region, global service event logging is turned off automatically for that trail.
  • If customers change the configuration of a trail from logging a single region to logging all regions, global service event logging is turned on automatically for that trail.

Insights Events

AWS CloudTrail Insights events capture unusual activity in customers AWS account. when it enabled CloudTrail detects unusual activity, Insights events are logged to a different folder or prefix in the destination S3 bucket for your trail. Insights events are logged when CloudTrail detects unusual write management API activity in your account. 

  • Aws clients can see the type of insight and the incident time period when they view Insights events on the CloudTrail console.
  • Insights events provide relevant information, such as the associated API, incident time, and statistics, that help understand and act on unusual activity.
  • Insights events are logged only when CloudTrail detects changes in customers account’s API usage that differ significantly from the account’s typical usage patterns. 
  • CloudTrail Insights analyzes write management events that occur in a single Region, not globally. A CloudTrail Insights event is generated in the same Region as its supporting management events are generated.

AWS CloudTrail Console

Customers can use and manage the AWS CloudTrail service with the AWS CloudTrail console. The console provides a user interface for performing many CloudTrail tasks such as:

  • Viewing recent events and event history for your AWS account.
  • Downloading a filtered or complete file of the last 90 days of events.
  • Creating and editing CloudTrail trails.
  • Configuring CloudTrail trails, including:
    • Selecting an Amazon S3 bucket.
    • Setting a prefix.
    • Configuring delivery to CloudWatch Logs.
    • Using AWS KMS keys for encryption.
    • Enabling Amazon SNS notifications for log file delivery.
    • Adding and managing tags for your trails.

Data Events

Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities. Example data events include:

  • Amazon S3 object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations).
  • AWS Lambda function execution activity (the Invoke API).

Data events are disabled by default when AWS customers create a trail. To record CloudTrail data events, customers need to explicitly add to a trail the supported resources or resource types for which they want to collect activity. 

How does AWS CloudTrail work?

AWS CloudTrail is enabled on AWS account when clients create it. When activity occurs in their AWS account, that activity is recorded in a CloudTrail event. AWS customers can easily view events in the CloudTrail console by going to Event history.

Event history allows customers to view, search, and download the past 90 days of activity in the AWS account. In addition, they can create a CloudTrail trail to archive, analyze, and respond to changes in the AWS resources. A trail is a configuration that enables delivery of events to an Amazon S3 bucket that they specify. Customers can also deliver and analyze events in a trail with Amazon CloudWatch Logs and Amazon CloudWatch Events, and create a trail with the CloudTrail console, the AWS CLI, or the CloudTrail API.

There are two types of trails for an AWS account

A trail that applies to all regions

When AWS clients create a trail that applies to all regions, CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket that they specify. If a region is added after creating a trail that applies to all regions, that new region is automatically included, and events in that region are logged. Because creating a trail in all regions is a recommended best practice, so the customer capture activity in all regions in the account, an all-regions trail is the default option when they create a trail in the AWS CloudTrail console. Customers can only update a single-region trail to log all regions by using the AWS CLI.

A trail that applies to one region

When creating a trail that applies to one region, CloudTrail records the events in that region only. It then delivers the CloudTrail event log files to an Amazon S3 bucket that you specify. AWS customers can only create a single-region trail by using the AWS CLI. If customers create additional single trails, they can have those trails deliver CloudTrail event log files to the same Amazon S3 bucket or to separate buckets. This is the default option when creating a trail using the AWS CLI or the CloudTrail API

© 2022