Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction
2.
Setup
3.
Alerting
4.
Metrics
5.
Logs Insights
6.
Athena
7.
Frequently Asked Questions
7.1.
What is AWS CloudTrail?
7.2.
How does CloudTrail work?
7.3.
What are the benefits of CloudTrail?
7.4.
What is the difference between AWS config and CloudTrail?
8.
Conclusion
Last Updated: Mar 27, 2024

AWS Cloud Trail

Master Python: Predicting weather forecasts
Speaker
Ashwin Goyal
Product Manager @

Introduction

Welcome readers! In this blog, we will learn about AWS Cloud Trail. AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events. Actions made in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are all considered events.

AWS CloudTrail will only display the results of the CloudTrail Event History for the current region for the previous 90 days and will only support the AWS services listed above. These events are confined to account activity and management events such as create, modify, and delete API requests. Configure a CloudTrail trail to get a complete record of account activity, including all management events, data events, and read-only activity.

Setup

AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, risk, and operational auditing. In CloudTrail, actions made by a Principal (User, Role, or AWS Service) are recorded as events.

We will highlight the steps below:

1. Search for the CloudTrail Service under the Management Tools Section in the console and click on CloudTrail.

2. The redesigned CloudTrail console will be the default experience starting the week of August 10, 2020. You'll be able to go back to the previous console if you want. In this workshop, though, we'll be using the new CloudTrail Console.

3. Once in the CloudTrail Console, click on Trails on the Left Side of the screen.

4. Then Click on Create Trail to create our trail for this lab.

Source: AWS

5. Apply the following settings and create the trail.

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

Alerting

We'll use Amazon EventBridge in this part to monitor and alert when an IAM policy is applied to an IAM user. The EventBridge Rule created will monitor for a specific event name in CloudTrail, and will use an SNS message to notify regarding an event when it occurs.

1. Go to the Amazon EventBridge console.

2. Once in the EventBridge Console, click on Rules on the Left Side of the screen.

3. Click on the Create rule button.

4. Configure the Rule using the following settings:

  • Enter a Name for the rule (e.g. AttachUserPolicy_Event).
     

Source: AWS

  • Event Pattern:
    • Pre-defined pattern by service
    • Service provider: AWS
    • Service Name: IAM
    • Event Type: AWS API Call via CloudTrail
    • Specific operation(s): AttachUserPolicy
       

Source: AWS

  • Targets: SNS topic
  • Topic: CloudWatchAlarmsForCloudTrail-AlarmNotificationTopic-XXXXXXXXX
     

5. Click Create, and you will see the rule created.

Source: AWS

Metrics

Metric filters can be used to keep track of events in a log group as they are reported to CloudWatch Logs. You can track and count individual phrases, or you can extract values from log events and link them to a measure. In this part, we'll manually design a Metric Filter to display CloudTrail's access refused problems.

1. Go to the CloudWatch console.

2. Select the CloudTrail Log Group we created in the setup.

3.  Once selected, click Actions and Create Metric Filter.

Source: AWS

4. In the Filter pattern field, copy and paste the following query.

{$.errorCode = "ValidationException" || $.errorCode = "AccessDenied"}

5. Select log data to test from dropdown: Such as accountid_CloudTrail_region (123456789012_CloudTrail_us-east-1)

6. Click on Test Pattern to make sure the filter is working.

7. Click Next.

8. In the Create Metric Filter and Assign a Metric page.

  • Filter Name: errorCode-ValidationException-and-AccessDenied
  • Metric Namespace: LogMetrics
  • Metric Name: AccessError
  • Metric Value: 1
  • Click Next and Create metric filter
     

9. Click Next and Create metric filter.

Logs Insights

CloudWatch Logs Insights lets you search and examine your log data in Amazon CloudWatch Logs interactively. You can run queries to help you respond to operational concerns more quickly and effectively. You can use CloudWatch Logs Insights to discover potential causes and confirm applied fixes if an issue occurs.

CloudWatch Logs Insights detects fields in logs from AWS services, including Amazon Route 53, AWS Lambda, AWS CloudTrail, and Amazon VPC, as well as any application or custom log that emits JSON log events. In this lab, we'll use Insights to query CloudTrail events and CloudWatch Logs data and add it to a CloudWatch Dashboard.

1. Go to the CloudWatch Dashboards

2. Click Create dashboard

  • Give a dashboard name MyFirstDashboard
  • Click Create dashboard
     

3. Select a widget type to configure: Logs table (Explore results from Logs Insights) and click Next

4. From the drop-down, select the CloudWatch Log Group created during the setup.

5. In the query pane, enter the following query, which filters failed SignIn attempts to the AWS Account and also captures if MFA was used or not.

filter eventSource="signin.amazonaws.com" and eventName="ConsoleLogin" and responseElements.ConsoleLogin="Failure" | stats count(*) as Total_Count by sourceIPAddress as Source_IP, errorMessage as Reason, awsRegion as AWS_Region, userIdentity.arn as IAM_Arn, additionalEventData.MFAUsed as MFA_Used

6. Click on Run Query to view results.

Source: AWS

7. Click on Create widget, and you will see your first dashboard created.

Source: AWS

8. Go to the CloudWatch Logs Insights Console

9. Select the CloudWatch Log Group created during the setup from the drop down.

10. In the query pane, enter the following query, which filters the AWS Regions, user names, and ARNs of newly created IAM users.

filter eventName="CreateUser" | fields awsRegion, requestParameters.userName, responseElements.user.arn

11. Click on Run Query to view results.

Athena

Using Athena and CloudTrail logs to analyse AWS service activity is a fantastic method to improve your analysis. You can, for example, utilize queries to spot trends and further isolate activity based on attributes like source IP address or user.

1. To get started, go to the S3 Console.

  • Click Create bucket button
  • Find your accountid at the top right corner of the screen
     

Source: AWS

  • Enter a Bucket name such as aws-athena-query-results-accountid-us-east-1 (replace accountid with yours)
  • Click Create bucket and leave the rest of the settings alone.
     

2. Go to the Athena Console

  • To begin, select Get Started.
  • In the top right corner of the screen, select Settings.
  • Enter Query result location with your S3 bucket such as s3://aws-athena-query-results-accountid-us-east-1/ (replace accountid with yours)
  • Leave everything else as it is and click Save.
     

3. Go to the CloudTrail Event History Console

  • Click on Create Athena Table
  • Choose Storage location from the dropdown: aws-cloudtrail-logs-accountid-hash
  • Click on Create table
     

4.  Go back to the Athena Console

  • Choose default Database on the left to show the Athena Table Name.
  • Copy the table and substitute it with the TABLE_NAME in the following queries and click on Run Query.
     

Source: AWS
5. Console sign-in activity: Auditing your login activity is critical, whether it's to fulfill a compliance standard like PCI, adhere to a best practice security framework like NIST, or simply to better understand who is accessing your assets. The following query gives information such as the user's name, IP address, time of day, if the login was made using the mobile console, and whether multi-factor authentication was utilized.

SELECT useridentity.username,

         errormessage,

         sourceipaddress,

         eventtime,

         additionaleventdata

FROM default.TABLE_NAME

WHERE eventname = 'ConsoleLogin'

Source: AWS

6. AWS event errors: Recurring error messages may indicate a misconfigured policy, erroneous permissions provided to an application, or an unidentified change in your workloads. The following query displays the top ten errors since the beginning of the year.

SELECT count (*) AS TotalEvents,

         eventname,

         errorcode,

         errormessage

FROM default.TABLE_NAME

WHERE errorcode is NOT null

        AND eventtime >= '2021-05-01T00:00:00Z'

GROUP BY  eventname, errorcode, errormessage

ORDER BY  TotalEvents DESC limit 10

Source: AWS

Frequently Asked Questions

What is AWS CloudTrail?

AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events.
 

How does CloudTrail work?

CloudTrail records activities taken by the user directly or by an AWS service on their behalf. An AWS CloudFormation CreateStack call, for example, may result in subsequent API calls to Amazon EC2, Amazon RDS, Amazon EBS, or other services as needed by the AWS CloudFormation template.
 

What are the benefits of CloudTrail?

CloudTrail enables you to demonstrate compliance, strengthen your security posture, and consolidate activity data across regions and accounts. By documenting actions made on your account, CloudTrail gives visibility into user activity.
 

What is the difference between AWS config and CloudTrail?

Config focuses on the configuration of your AWS resources and provides detailed snapshots of how they've changed. CloudTrail focuses on the events that cause those changes, such as API calls. It focuses on the user, the program, and the system activity.

Conclusion

In this article, we have extensively discussed the AWS Cloud Trail service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events.

We hope that this blog has helped you enhance your knowledge regarding AWS Cloud Trail. Do upvote our blog to help other ninjas grow.

After reading about the AWS Cloud Trail, are you not feeling excited to read/explore more articles on the topic of AWS Resources? Don't worry; Coding Ninjas has you covered. To learn, see Operating SystemUnix File SystemFile System Routingand File Input/Output.

Refer to our Guided Path on Coding Ninjas Studio to upskill yourself in Data Structures and AlgorithmsCompetitive ProgrammingJavaScriptSystem Design, and many more! If you want to test your competency in coding, you may check out the mock test series and participate in the contests hosted on Coding Ninjas Studio! But if you have just started your learning process and are looking for questions asked by tech giants like Amazon, Microsoft, Uber, etc; you must look at the problems, interview experiences, and interview bundle for placement preparations.

Nevertheless, you may consider our paid courses to give your career an edge over others!

Do upvote our blogs if you find them helpful and engaging!

Happy Learning!

Previous article
AWS Cloud Formation
Next article
AWS Config
Live masterclass