Track User Activity & API Usage Using Cloudtrail
We all try to do monitoring setup for the AWS resources such as CPU , Memory usage etc. But at the same time we need to setup a security monitoring such as security group changes , AWS console Login , API actions on AWS services.
In this guide , We will setup Cloudtrail which will help us to track all the changes or activity happening across the services.
What Is Cloudtrail?
AWS Cloudtrail helps use to enable operational & risk auditing , compliance , governance of the AWS accounts.
It will record all the activity performed by the users , roles and by other AWS services as an event in the Cloudtrail.
Activities can be initiated using AWS console , AWS command line interface , API’s and SKD’s.
Types Of Trails In AWS Account.
When we enable a trail for an AWS account , We can enable it in two ways.
- A trail that applies to all regions – Events across the AWS regions will be recorded as an events in the cloudtrail
- A trail that applied to One region – Events will be recorded only for the region we enable cloudtrail.
Checking Cloudtrail Logs
We can check the event history for all the events stored in the cloudtrail , But only for the last 90 days.
We can also download the last 90 days of events as CSV or JSON.
Creating CloudTrail Using AWS Console
Lets go ahead a create a trail for the AWS account.
Login to Cloudtrail console , You can see some of the events recorded by the cloudtrail for you.
You can see that the user has logged into the console and it is recorded as an event by the trail.
You can expand the each events for more details about that event.
You can apply filters based on the services or the event , Also you can check the events for a time range.
In the left navigation pane , Choose Trails and You can see that the account dont have any trails created yet.
To create a Trail , Click Create Trail
Provide a Name for the trail and Here you have options Whether to enable trail to all the region or not.
If you want to track events across all the regions , Lets say you have AWS resources in two different regions , Then you should enable trails to all the regions.
Under Management events
You can track events based on the events such as Read-only , Write-only or Read/Write.
Read only for read API operations such as Describe
Write only for create , update , delete API operations.
Also Enable KMS events in the cloudtrail.
Do not make any changes in the Data event , Use the default settings.
Under Storage location , We are going to send all the cloudwatch events to S3 bucket.
We can either create a new bucket for this log delivery to S3 bucket or We can use the existing bucket.
Also We can send the logs to a folder within a S3 bucket.
You can also perform the below actions for the logs that will be stored in S3 bucket.
Encrypt Log files with SSE-KMS – You can enrypt files using SSE-KMS instead of SSE-S3
Send out a notification For every log file delivery to S3 bucket
Add a tag to the Trail and then click Create.
Now that you have created the Cloud trail for the AWS account across the AWS regions.
To enable or disable the Trail, Click the trail name
You can enable or disable using the Logging
We can also delete the trail itself using the delete icon.
To check the logs stored in the S3 bucket , Go to the bucket , You can find a folder named AWSLogs
It follows a folder hierarchy to store the logs. The logs are segregated by the account , year , Data and the Day.
Conclusion
We have successfully implemented a auditing mechanism for the AWS account and we have configured logging for the same.
Hope you find it helpful. Please check out my other publications.