How to Use AWS CloudTrail: Creating Trails

In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

Purpose: It is very important to have a service that allows you to observe all of the activities taking place in your AWS account. AWS CloudTrail is useful in this situation. It records the actions as CloudTrail events, which can be used to monitor your AWS account activities. In this article, we'll look at how to utilize AWS CloudTrail service to create trails for various types of events.

Technical difficulty:

What Is AWS CloudTrail Service?

AWS CloudTrail is a service provided by AWS that enables operational and risk auditing, governance, and compliance for your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, it's recorded in a CloudTrail event. Go to Event history in the CloudTrail console to easily view recent events. You can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. You can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity in your AWS account.

What are CloudTrail events?

An activity in an AWS account is recorded as an event in CloudTrail. This activity may involve an action performed by a user, role, or service that CloudTrail can watch. AWS Management Console, AWS SDKs, command line tools, and other AWS services all use CloudTrail events to record both API and non-API account activities.

Types of events that can be logged in CloudTrail:

Management events
Data events
CloudTrail Insights events

Trails log management events but not data or Insights events by default.

Now, let’s discuss about each event:

Management events provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations. Management events can also include non-API events that occur in your account.

Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities.

CloudTrail Insights events helps AWS users identify and respond to unusual activity associated with “write” API calls by continuously analyzing CloudTrail management events. Insights events are logged when CloudTrail detects unusual write management API activity in your account. If you have CloudTrail Insights enabled and CloudTrail detects unusual activity, Insights events are delivered to the destination S3 bucket for your trail.

Let’s understand what are trails?

A trail is a configuration that allows CloudTrail events to be delivered to an Amazon S3 bucket, CloudWatch Logs, or CloudWatch Events. You can use a trail to filter the CloudTrail events you want delivered, encrypt your CloudTrail event log files with an AWS KMS key, and configure Amazon SNS notifications for log file delivery.

Now that we have covered all the key terms for the lab, let's perform the lab itself.

Lab Scenario

We have set up the below scenario in our INE labs for our students to practice. The screenshots have been taken from our online lab environment.

Lab Link: CloudTrail: Creating Trail

Objective

Create trails for various types of events using AWS CloudTrail and deliver log files to an S3 bucket.

Solution

Step 1: Click the lab link button to get access credentials. Login to the AWS account with these credentials.

Step 2: Search for CloudTrail in the search bar and navigate to the CloudTrail dashboard.

Dashboard will list all the available trails.

“lab-account-managment-events”, trail was created by the management account for the organization and hence cannot edit or delete this trail through this account.

Step 3: Click on “Event history”.

Event history will list all the event names which are already created. It helps to look up events related to creation, modification, or deletion of resources (such as IAM users or Amazon EC2 instances) in your AWS account on a per-region basis.

Step 4: Click on “Trails”.

Step 5: Click on “Create trail”.

Step 6: Set trail name as “student-management-events” and choose “Create new S3 bucket” option and append “management-events” in between S3 bucket name.

Step 7: Disable Log file SSE-KMS encryption and Log file validation.

Click on the “Next” button.

Step 8: In Events choose “Management events” and “Insights events”.

For differentiating between events, we will use two different trails and two different buckets for management events and data events. Insights events will only work with management events.

Note: After you enable CloudTrail Insights for the first time on a trail, it can take up to 36 hours for CloudTrail to deliver the first Insights event.

Step 9: Enable Read and Write API activities log in management events.

Step 10: Enable API call rate and API error rate in “Insights types”.

Review the details.

Click on the “Create trail” button.

Successfully created trail for management events.

Step 11: Create trail for data events. Click on the “Create trail” button.

Step 12: Set trail name as “student-data-events” and choose “Create new S3 bucket” option and append “data-events” in between S3 bucket name.

Step 13: Disable Log file SSE-KMS encryption and Log file validation.

Click on the “Next” button.

Step 14: In Events choose “Data events”.

Step 15: Select data event type as “DynamoDB” and Log selector template as “Log all events”. Set any name as the selector name and click on the “Next” button.

Using the information collected by CloudTrail, you can determine the request that was made to DynamoDB, the IP address from which the request was made, who made the request, when it was made, and additional details.

Review the details.

Click on the “Create trail” button.

Step 16: Successfully created data events trail.

Step 17: Search for DynamoDB in the search bar and navigate to the DynamoDB dashboard.

Step 18: Click on “Tables” from the navigation pane.

Step 19: Click on the “Create table” button.

Step 20: Set Table name as “Users” and partition key as “id” with data type “Number”.

Step 21: Choose “Default settings” in table settings.

Step 22: Click on “Create table”.

Wait until the “Creating” state changes to “Active” state.

Step 23: Click on “Explore items”.

Step 24: Click on “Users”.

Step 25: There is no item available in the table. Click on the “Create item” button to add items into the table.

Step 26: Click on “String” under “Add new attribute” to set data type for new attribute.

Step 27: Enter “Name” as Attribute name and any value.

Step 28: Click on the “Create item” button.

Successfully created an item inside the users table.

Navigate back to the CloudTrail dashboard and click on “Trails”.

Step 29: Click on “student-management-events”.

Step 30: Check the logs from the management events bucket. Click on “Trail log location”.

CloudTrail publishes log files to your S3 bucket in a gzip archive. In the S3 bucket, the log file has a formatted name.

The following syntax shows the log file location.

Path: bucket_name/prefix_name/AWSLogs/Account_ID

Step 31: Click on “CloudTrail” directory.

Step 32: Click on the “us-east-1” directory.

Click on the folder having the current year as name followed by month and date.

Now the current path will be the following.

Path: bucket_name/prefix_name/AWSLogs/Account ID/CloudTrail/region/YYYY/MM/DD/

Step 33: Check the log using the JSON files available.

Step 34: Click on the “Open” button. It will open the JSON file in the browser.

This log is recorded while updating the DynamoDB table so the event name will be “UpdateTable”. This operation is done in order to perform Modifications in the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table.

This log is recorded while listing the DynamoDB table so the event name will be “ListTables”. This operation will return the list of table names available.

This log is recorded while creating the DynamoDB table so the event name will be “CreateTable”. The CreateTable operation adds a new table to your account.

These are some of the logs available in the management events buckets.

Step 35: Click on “student-data-events”.

Step 36: Click on “Trail log location”.

The trail log location of data events is similar to the management events.

Step 37: Check the log using the JSON files available.

This log is recorded while adding items to the DynamoDB table so the event name will be “PutItem”. This operation creates a new item, or replaces an old item with a new item.

This log is recorded while listing a single item in the DynamoDB table so the event name will be “GetItem”.This operation returns a set of attributes for the item with the given primary key.

Step 38: Navigate back to CloudTrail Event history and check out the available events. It will list all the events and also can view the events according to the selected filter such as resource name, resource type etc.

We successfully created trails for logging operations that are performed on resources of the AWS account.

References:

AWS CloudTrail (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)

Conclusion

Congratulations! You successfully performed the lab and created trails for various types of events using AWS CloudTrail and delivered log files to an S3 bucket.

Try out AWS CloudTrail hands-on in our lab! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!