What Is AWS CloudTrail?
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
- It’s enabled when the account is created
- When activity occurs in your AWS account, that activity is recorded in a CloudTrail event.
- Entries can be viewed in Event History(for 90 days)
- Event logs can be aggregated across accounts.
- Historically CloudTrail was not enabled by default
- It won’t logs events like SSH/RDP only API call.
For an ongoing record of activity and events in your AWS account, create a trail. It allows us to send logs to S3 bucket and can be single or multi-region.
To create a trail
Go to AWS Console --> Management & Governance --> CloudTrail --> Trails --> Create trail
* Trail name: Give your trail name
* Apply trail to all regions: You have an option to choose all regions or specific region.
* Read/Write events: You have the option to filter the events
* Data events: Data events provide insights into the resource operations performed on or within a resource
S3: You can record S3 object-level API activity (for example, GetObject and PutObject) for individual buckets, or for all current and future buckets in your AWS account
Lambda:You can record Invoke API operations for individual functions, or for all current and future functions in your AWS account.
* Storage Locations: Where to store the logs, we can create new bucket or use existing bucket
* Log file prefix: We have the option to provide prefix, this will make it easier to browse log file
* Encrypt log file with SSE-KMS: Default SSE-S3 Server side encryption(AES-256) or we can use KMS
* Enable log file validation: To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation
* Send SNS notification for every log file delivery:SNS notification of log file delivery allow us to take action immediately
- There is always a delay between when the event occurs vs displayed on CloudTrail dashboard. On the top of that, there is an additional delay when that log will be transferred to S3 bucket.
- Delivered every 5(active) minutes with up to 15-minute delay
- All CloudEvents are JSON structure you will see something like this when you try to view any event
Validating CloudTrail Log File Integrity
- To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation.
- This feature is built using industry-standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing.
- This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.
- You can use the AWS CLI to validate the files in the location where CloudTrail delivered them
- Validation of logs can only be performed at the command line
$ aws cloudtrail validate-logs --trail-arn arn:aws:cloudtrail:us-east-1:XXXXXXX:trail/mytestcloudtrail --start-time 2018-12-27T00:09:00Z --end-time 2018-12-27T00:10:00Z --verboseValidating log files for trail arn:aws:cloudtrail:us-east-1:XXXXXXX:trail/mytestcloudtrail between 2018-12-27T00:09:00Z and 2018-12-27T00:10:00ZResults requested for 2018-12-27T00:09:00Z to 2018-12-27T00:10:00ZNo digests found
- We can also configure a CloudTrail to send copies of logs to CloudWatch Logs(central location which aggregates logs)
- Go back to the trail we have just configured and click on Configure
In order to successfully deliver CloudTrail events to your CloudWatch Logs log group, CloudTrail will assume the role you are creating or specifying. Assuming the role grants CloudTrail permissions to two CloudWatch Logs API calls: 1. CreateLogStream: Create a CloudWatch Logs log stream in the CloudWatch Logs log group you specify
2. PutLogEvents: Deliver CloudTrail events to the CloudWatch Logs log stream
- Under CloudWatch logs, you will now see the newly created Log Groups