CloudTrail

Solution Architect Associate

Developer Associate

Security Specialty

  • Service that logs all changes to your AWS infrastructure via the AWS APIs
  • Utilized for auditing purposes
  • Useful to detect unauthorized calls, or the root cause of changes in an account
  • Does not log RDP/SSH events into EC2 instances, etc. Only logs API calls
  • Events are stored for 90 days by default in a trail
  • CloudTrail is enabled by default for 7 days for each new account. If you want to have this on longer, you have to provision it yourself
    • To provision, go to CloudTrail and click “New Trail”
    • You can choose to apply the trail to one or all regions (usually choose All)
    • You can choose events to log, by default you can do all, read only, write only or none
    • You can also choose to limit which buckets in S3 you want to include. This is not included by default and if you do it additional charges will apply
    • You then choose the bucket to send the trail to, or create a new bucket
    • You can also choose to encrypt and validate log files, as well as send an SNS notification for each log file delivery. This is not necessary as it will be chatty.
  • It is best practice to forward all CloudTrail logs to a separate account which has lesser permissions in order to support compliance. Prevents un-authorized tampering of trails.
  • All logs are stored in an S3 bucket
  • You should enable encryption of all logs via KMS
  • You can also send logs to CloudWatch for inspection as well. This is not enabled by default
  • You can choose the types of events to log into a trail
    • Management events - logs API activities for managing infrastructure. These events are free to trace
    • Data events - log operations performed on or within resources in S3 and Lambda
    • Insight events - identifies unusual activity or user behavior in your account
  • In addition to log files, CloudTrail will create a digest file if you enable log file integrity options that is a hash of each file. This allows you to ensure no one has tampered with your log files

What is logged?

Events in CloudTrail have a full account of information about each event executed, including information about the user, the source of the event, what type of event it was, date/time, etc. This includes:

  • Metadata of API calls
  • Identity of the caller
  • Time the API call was made
  • Source IP of the call
  • Request parameters
  • Response elements returned by the service

CloudTrail Insights

  • Must be enabled, insights incur an additional cost
  • Detects anomolies/unusual activity within your account

Protecting your Log Files

  • CloudTrail logs contain metadata, but they also can contain personally identifiable data like usernames and team memberships
  • Also detailed info on things like DynamoDB tables, etc. may be included
  • Stopping unauthorized access can be done using IAM policies and Bucket Policies
  • Also you can use encryption on the bucket to ensure data is encrypted at rest
  • You can restrict access to your bucket by using an IAM group that has access and restricting others
    • When locking down, grant CloudTrailFullAccess to administrators and CloudTrailReadOnlyAccess to auditors
  • You can configure SNS notifications and log file validation on the trail. This could be done automatically using something like Lambda to compare and validate yesterday’s logs and notify you if they have
  • Amazon controls the private keys for CloudTrail digest files, so you can’t actually create a new one
  • To restrict logs from being deleted, you should restrict access via the policy and enable MFA on deletion in the bucket
  • By default log files will be kept indefinitely. You could use S3 object lifecycle management to move files to Glacier/etc. after your regulatory obligations are met if needed
< Previous: CloudFormation Next: CloudWatch >