Introduction
AWS CloudTrail is like a surveillance camera for your AWS environment. It sits in the background unseen and records all API calls and user activities, giving you detailed logs of who did what, what resource, and when.
CloudTrail captures every action taken in your AWS account. Whether an application makes an API call or an IAM user modifies resources, CloudTrail has you covered.
Auditing and logging might sound a little dull, but understanding CloudTrail's contents and capabilities will help you understand what’s going on in your one or many AWS Accounts. It is a Pandora’s box waiting to be opened.
Let's dig in!
The Importance of Auditing and Logging in AWS
Without proper auditing and logging, you’re flying blind. Logs help you detect suspicious activity, investigate incidents, determine why things are not working, and more.
It’s like having a security camera system that helps you prevent the bad guys and assists you in analysis when something stops working. This is crucial for identifying and mitigating potential security threats before they become significant.
How AWS CloudTrail Works
At its core, AWS CloudTrail works by recording API calls and events made within your AWS account. Here’s a quick rundown of how it operates:
Recording API Calls: CloudTrail logs every API call made in your AWS account, including details such as who made the call, the services used, the actions performed, and the parameters used for each action.
Storing Logs in S3: CloudTrail stores these log files in an S3 bucket that you specify when the trail is created. This ensures a centralised and secure place to store and analyse your logs.
Integration with Other AWS Services: CloudTrail can also be integrated with other AWS services, such as CloudWatch Logs and AWS Lambda, to create real-time alerts and automated responses to specific activities.
NOTE:- Occasionally, you will see a release from AWS for a service saying, “Now supports logging in CloudTrail.” Coverage is excellent, but there are still a few things you would think were supported. Just be aware.
Key Components of AWS CloudTrail
The Trail
This resource enables the delivery of CloudTrail events to an S3 bucket or CloudWatch Logs. Trails can be created to capture events in all regions and across multiple accounts.
An Event
A record of an activity in your AWS account. Events can be categorised into management, data, and insights events, each providing different levels of detail about the actions performed.
Management Events
These management operations are performed on resources in your AWS account, such as creating, deleting, or modifying resources. These events are enabled by default.
As you can see from the following example, they contain a lot of useful information.
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:user/example-user",
"accountId": "123456789012",
"accessKeyId": "EXAMPLEACCESSKEY",
"userName": "example-user"
},
"eventTime": "2024-07-31T19:23:21Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/home",
"MobileVersion": "No"
},
"eventID": "3c829b2b-xxxx-4f5d-b3c3-xxxxxxxxxxxx",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "123456789012",
"sharedEventID": "3c829b2b-xxxx-4f5d-b3c3-xxxxxxxxxxxx",
"eventCategory": "Management"
}
Data Events
These are high-volume data operations such as S3 object-level API activity (e.g., GetObject, PutObject) and Lambda function invocations. These events are not enabled by default and need to be specifically configured.
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:user/example-user",
"accountId": "123456789012",
"accessKeyId": "EXAMPLEACCESSKEY",
"userName": "example-user"
},
"eventTime": "2024-07-31T19:23:21Z",
"eventSource": "s3.amazonaws.com",
"eventName": "GetObject",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-sdk-java/1.11.836 Linux/4.14.154-128.181.amzn2.x86_64 OpenJDK_64-Bit_Server_VM/11.0.6+10-LTS java/11.0.6",
"requestParameters": {
"bucketName": "example-bucket",
"key": "example-folder/example-object.txt"
},
"responseElements": null,
"additionalEventData": {
"x-amz-id-2": "example-id-2",
"x-amz-request-id": "example-request-id"
},
"requestID": "example-request-id",
"eventID": "3c829b2b-xxxx-4f5d-b3c3-xxxxxxxxxxxx",
"readOnly": true,
"resources": [
{
"type": "AWS::S3::Object",
"ARN": "arn:aws:s3:::example-bucket/example-folder/example-object.txt"
},
{
"accountId": "123456789012",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::example-bucket"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}
NOTE:- As you can imagine, the volume of these events can get very high if enabled, so use them cautiously. They are useful for debugging and sometimes required for compliance requirements.
Insights Events
These are created when you turn on Insights, which automatically analyses CloudTrail logs to detect unusual operational activity and generate insights events. These help you identify and respond to anomalies in your AWS environment.
{
"Records": [
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:user/example-user",
"accountId": "123456789012",
"accessKeyId": "EXAMPLEACCESSKEY",
"userName": "example-user"
},
"eventTime": "2024-07-31T19:23:21Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "StartLogging",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-sdk-java/1.11.836 Linux/4.14.154-128.181.amzn2.x86_64 OpenJDK_64-Bit_Server_VM/11.0.6+10-LTS java/11.0.6",
"requestParameters": {
"name": "ExampleTrail"
},
"responseElements": null,
"additionalEventData": {
"eventCategory": "Insights",
"insightDetails": {
"state": "Start",
"eventID": "3c829b2b-xxxx-4f5d-b3c3-xxxxxxxxxxxx",
"insightType": "ApiCallRateInsight",
"insightContext": {
"statistics": {
"baseline": {
"average": 5,
"stdDeviation": 1.5
},
"insight": {
"average": 25,
"stdDeviation": 2
}
},
"apiCallRate": {
"service": "ec2.amazonaws.com",
"apiName": "DescribeInstances"
}
}
}
},
"eventID": "3c829b2b-xxxx-4f5d-b3c3-xxxxxxxxxxxx",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Insight"
}
]
}
NOTE:- Insights is not enabled by default and will add additional cost to your CloudTrails.
Key Features of AWS CloudTrail
Log File Integrity
Log file integrity ensures that the log files stored in your S3 bucket haven’t been altered or deleted. This is crucial for maintaining the accuracy and trustworthiness of your audit logs.
This is how it works:-
CloudTrail captures an event
Log File gets created
The Log File is delivered to the S3 Bucket
A SHA-256 Hash is created for each Log File
A Digest File is created Hourly with all the Log File Hashes
Digest File is delivered to S3 Bucket in a separate object location
You can recalculate and confirm that the source log files have not been changed or tampered with using these digest files.
CloudWatch Integration
CloudTrail can be sent to S3 and to a CloudWatch Log Group. This allows you to use CloudWatch Insights to analyse your logs through a SQL-like search language. This is useful for debugging, and you can add and save these searches to dashboards.
Once you find a relevant activity, you can also create alarms to automatically notify you when it occurs again.
Insights
CloudTrail Insights helps you identify and respond to unusual operational activity in your AWS account. It automatically analyses your CloudTrail logs using machine learning to detect unusual patterns and generates insights events, allowing you to investigate and address potential security threats quickly.
Multi-Region Configuration
A multi-region CloudTrail can be created, ensuring that all events in every region are logged, providing a comprehensive view of activities across your AWS environment.
If you are using AWS Organizations (and you should be), you can create an Organisation multi-region CloudTrail that logs all events for all AWS accounts for all enabled regions in that organization! Very powerful. This is sometimes referred to as an organization trail.
Benefits of Using AWS CloudTrail
We have touched on some of the benefits above, but let's highlight the following:
Security and Compliance Benefits
Auditing: AWS CloudTrail provides detailed logs of all API calls in your AWS environment. These logs are invaluable for auditing, allowing you to track user activity and access patterns. This ensures that any environmental changes are recorded and can be reviewed for compliance and security audits.
Incident Response: In the event of a security incident, CloudTrail logs can be used to quickly identify the root cause and the actions taken by users or services. This detailed logging helps trace unauthorised access, understand the extent of the breach, and implement measures to prevent future incidents.
Compliance: Many regulatory frameworks require detailed logging of user activities. AWS CloudTrail helps meet these requirements by providing comprehensive logs that can be used to demonstrate compliance with standards such as PCI DSS, HIPAA, and GDPR. This is crucial for businesses operating in regulated industries.
Operational Benefits
Troubleshooting: CloudTrail logs are essential for troubleshooting operational issues. When an unexpected behaviour or error occurs, the logs provide a detailed history of API calls and changes made to the environment. This information helps diagnose and resolve issues more efficiently.
Optimisation: By analysing CloudTrail logs, you can identify patterns and trends in resource usage. This information is valuable for optimising the performance and efficiency of your AWS environment. For example, you can detect and rectify inefficient API calls or identify opportunities for automation.
Cost Benefits
Identifying Unused Resources: CloudTrail logs can help identify resources that are under-utilised or unused. By tracking the activity on your resources, you can pinpoint instances, volumes, or services that can be downsized or terminated, leading to cost savings.
Cost Management: Understanding the detailed usage patterns through CloudTrail logs allows for better cost management. By identifying the areas where resources are being under-utilised or misconfigured, you can make informed decisions to optimise resource allocation and reduce unnecessary expenses.
Understanding CloudTrail Logs
Log File Format and Structure
CloudTrail logs are stored in JSON format, making them human-readable and easy to parse programmatically. Each log file contains a series of records representing a single API call or event. Key fields in each record include:
EventTime: The date and time of the event.
EventName: The name of the API action.
EventSource: The AWS service that the request was made to.
AWSRegion: The region where the event occurred.
SourceIPAddress: The IP address from which the request originated.
UserAgent: Information about the requester’s application or browser.
UserIdentity: Details about the user or service that made the request.
Filtering and Searching Logs
To get the most out of your CloudTrail logs, you’ll often need to filter and search through the logs to find specific events. The CloudTrail console provides a user-friendly interface to search and filter logs. You can specify filters based on time range, event name, user name, etc.
This interface will get you started, but I recommend sending your CloudTrail logs to CloudWatch, as CloudWatch insights are much more powerful.
Best Practices for Using AWS CloudTrail
Here are some best practices to consider when setting up your CloudTrail.
Enable CloudTrail in All Enabled Regions - Ensure CloudTrail is enabled in all AWS regions to capture events from across your entire AWS environment. This provides comprehensive visibility and helps you avoid blind spots.
Use Organization Trails - If you’re using AWS Organizations, create an organization trail that can be applied to all accounts. This centralises logging and makes managing and reviewing logs across multiple accounts more accessible.
Consolidate Logs in a Central S3 Bucket - Configure CloudTrail to send logs from all accounts and regions to a central S3 bucket. This simplifies log management and analysis.
Implementing Log Retention and Archiving Policies - Establish retention policies based on your compliance and operational needs. Use S3 lifecycle policies to automatically transition older logs to cheaper storage classes like S3 Glacier for long-term retention.
Enable Log File Integrity Validation - Turn on log file integrity validation to ensure your logs have not been tampered with. This is crucial for maintaining the integrity and trustworthiness of your audit records.
Regularly Review and Archive Logs - Review your logs to identify and respond to potential security and configuration issues. Archive logs that are no longer needed for immediate analysis but must be retained for compliance purposes.
Automated Response - Use AWS Lambda and other automation tools to create automated responses to specific events. For example, automatically quarantine a compromised instance or alert the security team when a critical action is detected.
Wrapping Up
AWS CloudTrail is a powerful tool that comprehensively tracks and monitors user activities and API calls within your AWS environment. Enabling CloudTrail gives you invaluable insights into your operations, enhances your security posture, and ensures compliance with industry standards.
Don’t just set it up and forget about it, though. Remember to regularly review and analyse your CloudTrail logs to maximise the benefits of AWS CloudTrail.
Related Reads
Building on your knowledge of AWS CloudTrail, these articles will deepen your understanding of AWS monitoring and logging services. Learn the differences between CloudWatch and CloudTrail, track changes in DynamoDB, and analyze logs effectively: