Resources
    How to Use AWS CloudTrail ...
    23 September 22

    How to Use AWS CloudTrail: Creating Trails

    Posted byINE
    facebooktwitterlinkedin
    news-featured

    In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    Purpose: It is very important to have a service that allows you to observe all of the activities taking place in your AWS account. AWS CloudTrail is useful in this situation. It records the actions as CloudTrail events, which can be used to monitor your AWS account activities. In this article, we'll look at how to utilize AWS CloudTrail service to create trails for various types of events.

    Technical difficulty:

    |   Novice   |   Beginner   |   Competent   |   Proficient   |   Expert

    What Is AWS CloudTrail Service?

    AWS CloudTrail is a service provided by AWS that enables operational and risk auditing, governance, and compliance for your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

    CloudTrail1.png

    CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, it's recorded in a CloudTrail event. Go to Event history in the CloudTrail console to easily view recent events. You can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. You can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity in your AWS account.

    What are CloudTrail events?

    An activity in an AWS account is recorded as an event in CloudTrail. This activity may involve an action performed by a user, role, or service that CloudTrail can watch. AWS Management Console, AWS SDKs, command line tools, and other AWS services all use CloudTrail events to record both API and non-API account activities.

    Types of events that can be logged in CloudTrail:

    • Management events

    • Data events

    • CloudTrail Insights events

    Trails log management events but not data or Insights events by default.

    Now, let’s discuss about each event:

    Management events provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations. Management events can also include non-API events that occur in your account.

    Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities. 

    CloudTrail Insights events helps AWS users identify and respond to unusual activity associated with “write” API calls by continuously analyzing CloudTrail management events. Insights events are logged when CloudTrail detects unusual write management API activity in your account. If you have CloudTrail Insights enabled and CloudTrail detects unusual activity, Insights events are delivered to the destination S3 bucket for your trail.

    Let’s understand what are trails?

    A trail is a configuration that allows CloudTrail events to be delivered to an Amazon S3 bucket, CloudWatch Logs, or CloudWatch Events. You can use a trail to filter the CloudTrail events you want delivered, encrypt your CloudTrail event log files with an AWS KMS key, and configure Amazon SNS notifications for log file delivery.

    Now that we have covered all the key terms for the lab, let's perform the lab itself.

    Lab Scenario

    We have set up the below scenario in our INE labs for our students to practice. The screenshots have been taken from our online lab environment.

    Lab Link: CloudTrail: Creating Trail

    Objective

    Create trails for various types of events using AWS CloudTrail and deliver log files to an S3 bucket.

    Solution

    Step 1: Click the lab link button to get access credentials. Login to the AWS account with these credentials.

    CloudTrail3.png

    Step 2: Search for CloudTrail in the search bar and navigate to the CloudTrail dashboard.

    CloudTrail4.png

    Dashboard will list all the available trails. 

    “lab-account-managment-events”, trail was created by the management account for the organization and hence cannot edit or delete this trail through this account.

    CloudTrail5.png

    Step 3: Click on “Event history”.

    CloudTrail6.png

    Event history will list all the event names which are already created. It helps to look up events related to creation, modification, or deletion of resources (such as IAM users or Amazon EC2 instances) in your AWS account on a per-region basis.

    CloudTrail7.png

    Step 4: Click on “Trails”.

    CloudTrail8.png

    CloudTrail9.png

    Step 5: Click on “Create trail”.

    CloudTrail10.png

    Step 6: Set trail name as “student-management-events” and choose “Create new S3 bucket” option and append “management-events” in between S3 bucket name.

    CloudTrail11.png

    Step 7: Disable Log file SSE-KMS encryption and Log file validation.

    CloudTrail12.png

    Click on the “Next” button.

    CloudTrail13.png

    Step 8: In Events choose “Management events” and “Insights events”.

    For differentiating between events, we will use two different trails and two different buckets for management events and data events. Insights events will only work with management events.

    Note: After you enable CloudTrail Insights for the first time on a trail, it can take up to 36 hours for CloudTrail to deliver the first Insights event.

    CloudTrail14.png

    Step 9: Enable Read and Write API activities log in management events.

    CloudTrail15.png

    Step 10: Enable API call rate and API error rate in “Insights types”.

    CloudTrail16.png

    Review the details.

    CloudTrail17.png

    Click on the “Create trail” button.

    CloudTrail18.png

    Successfully created trail for management events.

    CloudTrail19.png

    Step 11: Create trail for data events. Click on the “Create trail” button.

    CloudTrail20.png

    Step 12: Set trail name as “student-data-events” and choose “Create new S3 bucket” option and append “data-events” in between S3 bucket name.

    CloudTrail21.png

    Step 13: Disable Log file SSE-KMS encryption and Log file validation.

    CloudTrail22.png

    Click on the “Next” button.

    CloudTrail23.png

    Step 14: In Events choose “Data events”.

    CloudTrail24.png

    Step 15: Select data event type as “DynamoDB” and Log selector template as “Log all events”. Set any name as the selector name and click on the “Next” button.

    Using the information collected by CloudTrail, you can determine the request that was made to DynamoDB, the IP address from which the request was made, who made the request, when it was made, and additional details.

    CloudTrail25.png

    Review the details.

    CloudTrail26.png

    Click on the “Create trail” button.

    CloudTrail27.png

    Step 16: Successfully created data events trail.

    CloudTrail28.png

    Step 17: Search for DynamoDB in the search bar and navigate to the DynamoDB dashboard.

    CloudTrail29.png

    Step 18: Click on “Tables” from the navigation pane.

    CloudTrail30.png

    Step 19: Click on the “Create table” button.

    CloudTrail31.png

    Step 20: Set Table name as “Users” and partition key as “id” with data type “Number”.

    CloudTrail32.png

    Step 21: Choose “Default settings” in table settings.

    CloudTrail33.png

    Step 22: Click on “Create table”.

    CloudTrail34.png

    Wait until the “Creating” state changes to “Active” state.

    CloudTrail35.png

    Step 23: Click on “Explore items”.

    CloudTrail36.png

    Step 24: Click on “Users”.

    CloudTrail37.png

    Step 25: There is no item available in the table. Click on the “Create item” button to add items into the table.

    CloudTrail38.png

    Step 26: Click on “String” under “Add new attribute” to set data type for new attribute.

    CloudTrail39.png

    Step 27: Enter “Name” as Attribute name and any value.

    CloudTrail40.png

    Step 28: Click on the “Create item” button.

    CloudTrail41.png

    Successfully created an item inside the users table.

    CloudTrail42.png

    Navigate back to the CloudTrail dashboard and click on “Trails”.

    CloudTrail43.png

    Step 29: Click on “student-management-events”.

    CloudTrail44.png

    Step 30: Check the logs from the management events bucket. Click on “Trail log location”.

    CloudTrail publishes log files to your S3 bucket in a gzip archive. In the S3 bucket, the log file has a formatted name.

    The following syntax shows the log file location.

    Path: bucket_name/prefix_name/AWSLogs/Account_ID

    CloudTrail45.png

    Step 31: Click on “CloudTrail” directory.

    CloudTrail46.png

    Step 32: Click on the “us-east-1” directory.

    CloudTrail47.png

    Click on the folder having the current year as name followed by month and date.

    Now the current path will be the following.

    Path: bucket_name/prefix_name/AWSLogs/Account ID/CloudTrail/region/YYYY/MM/DD/

    Step 33: Check the log using the JSON files available.

    CloudTrail48.png

    Step 34: Click on the “Open” button. It will open the JSON file in the browser.

    CloudTrail49.png

    This log is recorded while updating the DynamoDB table so the event name will be “UpdateTable”. This operation is done in order to perform Modifications in the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table.

    CloudTrail50.png

    This log is recorded while listing the DynamoDB table so the event name will be “ListTables”. This operation will return the list of table names available.

    CloudTrail51.png

    This log is recorded while creating the DynamoDB table so the event name will be “CreateTable”. The CreateTable operation adds a new table to your account.

    CloudTrail52.png

    These are some of the logs available in the management events buckets.

    Step 35: Click on “student-data-events”.

    CloudTrail53.png

    Step 36: Click on “Trail log location”.

    The trail log location of data events is similar to the management events.

    CloudTrail54.png

    Step 37: Check the log using the JSON files available.

    CloudTrail55.png

    This log is recorded while adding items to the DynamoDB table so the event name will be “PutItem”. This operation creates a new item, or replaces an old item with a new item.

    CloudTrail56.png

    This log is recorded while listing a single item in the DynamoDB table so the event name will be “GetItem”.This operation returns a set of attributes for the item with the given primary key.

    CloudTrail57.png

    Step 38: Navigate back to CloudTrail Event history and check out the available events. It will list all the events and also can view the events according to the selected filter such as resource name, resource type etc.

    CloudTrail58.png

    We successfully created trails for logging operations that are performed on resources of the AWS account.

    References: 

    AWS CloudTrail (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)

    Conclusion

    Congratulations! You successfully performed the lab and created trails for various types of events using AWS CloudTrail and delivered log files to an S3 bucket.

    Try out AWS CloudTrail hands-on in our lab! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    © 2024 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo