Skip to content

Latest commit

 

History

History
57 lines (38 loc) · 5.18 KB

aws_cloudtrail.md

File metadata and controls

57 lines (38 loc) · 5.18 KB

AWS CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing for your AWS account. It allows you to track user activity and API usage across your AWS infrastructure. CloudTrail logs account activity, including API calls and actions taken through the AWS Management Console, SDKs, CLI, and other AWS services.

CloudTrail provides a comprehensive history of AWS account activity, enabling you to log, monitor, and retain event data for auditing and security purposes. You can track operations across a wide range of AWS services, providing transparency and accountability for all actions taken within your account.

CloudTrail Event Types

  • Management Events: These are operations that are performed on resources in your AWS account, such as creating, modifying, or deleting resources. Examples include:

    • Configuring security (e.g., IAMAttachRolePolicy)
    • Configuring rules for routing data (e.g., Amazon EC2CreateSubnet)
    • Setting up logging (e.g., AWS CloudTrailCreateTrail)

    Management events are enabled by default in CloudTrail, and they can be further categorized into:

    • Read Events: Operations that don’t modify resources, such as listing resources or viewing configurations.
    • Write Events: Operations that modify resources, such as creating, deleting, or modifying resources.

  • Data Events: These provide insights into resource-level activity, such as S3 object uploads or Lambda function invocations. Data events are not logged by default due to their high volume but can be enabled for supported resources. For example:

    • Amazon S3 object-level activity (e.g., GetObject, DeleteObject, PutObject)
    • AWS Lambda function execution (e.g., the Invoke API call)

CloudTrail Insights

CloudTrail Insights provides a powerful feature for detecting unusual activity in your AWS account. Insights continuously analyzes CloudTrail management events to establish a baseline of normal activity and then flags any deviations from this baseline, such as:

  • Inaccurate resource provisioning
  • Hitting service limits
  • Unusual bursts of IAM actions
  • Gaps in periodic maintenance activity

When CloudTrail detects unusual patterns, it generates Insights Events and sends them to your designated Amazon S3 bucket. Additionally, an EventBridge event can be generated to automate remediation actions. Insights helps in real-time anomaly detection and alerting.

AWS CloudTrail Lake

AWS CloudTrail Lake is a managed data lake designed to centralize the collection, storage, and analysis of CloudTrail event data. It provides an optimized and centralized solution for storing and analyzing CloudTrail logs, enabling the retention of logs for up to seven years, which supports long-term data analysis and compliance requirements.

Key features of CloudTrail Lake:

  • Integrated Storage and Querying: CloudTrail Lake integrates the collection, storage, preparation, and optimization of event data for analysis and query. The data is converted to the ORC format for efficient querying.
  • SQL-Based Query Interface: CloudTrail Lake provides an SQL-based interface for querying your logs, which is particularly useful for auditing, security investigations, and operational troubleshooting.
  • Event Retention: Logs are retained for up to seven years, providing a long-term record of account activity.
  • Data Querying: CloudTrail Lake allows users to create custom SQL queries or use sample queries to get started. Queries can be constrained by the eventTime parameter to help control costs.
  • Event Channels: You can create channels to integrate CloudTrail events with external services and systems, including built-in integrations with partners like Okta, LaunchDarkly, and Clumio.

CloudTrail Logging and Integration with Other AWS Services

CloudTrail supports integration with both Amazon S3 and Amazon CloudWatch Logs for storing and processing log data. The integration with CloudWatch Logs enables the monitoring of security threats and provides a framework for setting alarms and analyzing CloudTrail logs through tools like Logs Insights, Contributor Insights, and CloudWatch Alarms.

You can create a multi-region trail in your AWS account, ensuring that logs are captured from all AWS regions and stored in a centralized S3 bucket for security and compliance purposes. Additionally, CloudTrail supports organization trails, allowing you to create a trail that applies to all AWS accounts in an organization.

Best Practices for CloudTrail Logging and Analysis

  • Enable CloudTrail logging for all regions to ensure comprehensive monitoring of all activities across your AWS resources.
  • Consider using CloudTrail Insights to detect and respond to unusual activity patterns, especially those associated with write API calls.
  • Direct CloudTrail logs to Amazon S3 and CloudWatch Logs to facilitate long-term storage, monitoring, and analysis.
  • Regularly review CloudTrail logs to ensure that any resource deletions or changes are tracked and properly audited.
  • Use CloudTrail Lake for optimized, SQL-based querying of logs and centralized event management across your AWS environment.