UNIT 12

AWS Fundamentals: Amazon CloudTrail UNIT 12: AMAZON CLOUDTRAIL Structure 12.1 Learning Objectives 12.2 Overview 12.3 AWS CloudTrail Features 12.4 How AWS Cloudtrail works? 12.5 Configure AWS CloudTrail 12.6 Summary 12.7 Glossary 12.8 References 12.1 Learning Objectives After studying this unit, you will be able to: • Understand about AWS CloudTrail • Give a brief on CloudTrail features • Describe on how AWS cloudTrail service works • Explain the steps which are involved to configure AWS CloudTrail 12.2 Overview AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs. CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history. We can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of trails you create, and control how users view CloudTrail events. 12.3 AWS CloudTrail Features AWS CloudTrail enables auditing, security monitoring, and operational troubleshooting. CloudTrail records user activity and API usage across AWS services as Events. CloudTrail Events help you answer the questions of \"who did what, where, and when?” CloudTrail records two types of events: Management events capturing control plane actions on resources such as creating or deleting Amazon Simple Storage Service (Amazon S3) buckets, Page 1 of 7 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon CloudTrail And data events capturing data plane actions within a resource, such as reading or writing an Amazon S3 object. CloudTrail uses these events in three features:  Trails enable delivery and storage of events in Amazon S3, with optional delivery to Amazon CloudWatch Logs and EventBridge.  Insights analyze control plane events for anomalous behavior in API call volumes.  Event history provides a 90-day history of control plane actions for free. As part of its core audit capabilities, CloudTrail provides customer managed keys for encryption and log file validation to guarantee immutability. 12.4 How AWS CloudTrail Works? CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view events in the CloudTrail console by going to Event history. Event history allows you to view, search, and download the past 90 days of activity in your AWS account. In addition, you can create a CloudTrail trail to archive, analyze, and respond to changes in your AWS resources. A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you specify. You can also deliver and analyze events in a trail with Amazon CloudWatch Logs and Amazon CloudWatch Events. You can create a trail with the CloudTrail console, the AWS CLI, or the CloudTrail API. You can create two types of trails for an AWS account: A trail that applies to all regions When you create a trail that applies to all regions, CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket that you specify. If a region is added after you create a trail that applies to all regions that new region is automatically included, and events in that region are logged. Because creating a trail in all regions is a recommended best practice, so you capture activity in all regions in your account, an all- regions trail is the default option when you create a trail in the CloudTrail console. You can only update a single-region trail to log all regions by using the AWS CLI. A trail that applies to one region When you create a trail that applies to one region, CloudTrail records the events in that region only. It then delivers the CloudTrail event log files to an Amazon S3 bucket that you specify. You can only create a single-region trail by using the AWS CLI. If you create additional single trails, you can have those trails deliver CloudTrail event log files to the same Amazon S3 bucket or to separate buckets. This is the default option when you create a trail using the AWS CLI or the CloudTrail API. If you have created an organization in AWS Organizations, you can also create a trail that will log all events for all AWS accounts in that organization. This is referred to as an organization trail. Organization trails can apply to all AWS Regions or one Region. Page 2 of 7 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon CloudTrail CloudTrail publishes log files multiple times an hour, about every five minutes. These log files contain API calls from services in the account that support CloudTrail. Create a new trail and sync your AWS S3 bucket 1. In the AWS console, navigate to the AWS CloudTrail section. 2. Update your account's region settings to match the region previously selected in AMP. 3. Click Create trail. (You may first need to click View trails, and then click Create trail.) 4. In Trail name, enter a descriptive name. 5. For Apply trail to all regions, mark No. 6. For Create a new S3 bucket, mark No Page 3 of 7 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon CloudTrail 7. In S3 bucket, paste the bolded URL text that you copied earlier from AMP. 8. Click Create 12.5 Configure CloudTrail AWS CloudTrail is an AWS service that helps you audit your AWS account, providing complete visibility into the governance, compliance, and risks of your AWS account. With new services being released almost daily, it is understandable for security practitioners to get lost in the many options to secure your AWS account. AWS CloudTrail is one of these services that are commonly underused but fairly simple to set up and critical for security governance, detection, and incident response. All actions taken by a user, role, or an AWS service are logged and recorded as events in CloudTrail. AWS outlines six best practices for security in the cloud; one of the six is detection. Underlying steps to configure CloudTrail and monitor security-related events 1. Create a Trail. When you create your AWS account, AWS CloudTrail is enabled by default. For an ongoing record of activity and events, analysis and log retention, create a trail in your account. Creating a trail will allow you to use other AWS services to analyze and act upon the event data collected in CloudTrail logs. 2. Configure your trail to apply to all regions. Specify a unique name for your trail and follow the CloudTrail naming requirements. Select yes to apply the trail to all regions, even if you are only hosted in one region currently. It is best practice to apply CloudTrail to all regions to monitor any activity in regions where you should not have resources as well as ensure you are prepared from a security perspective to scale. Page 4 of 7 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon CloudTrail 3. Choose which events you will log There are three different types of events you can log with CloudTrail: management events, insights events, and data events. The events that you log will be based on your organization’s needs and preferences. However, logging all read and writes management events are best practices. 4. Configure your logs to be stored on S3 and enable log file validation By default, the S3 bucket created for your trail is encrypted at rest using the default SSE- S3 encryption by AWS. If you are already using AWS Key Management Service (KMS) to manage your encryption, you can enable SSE-KMS encryption of the logs at rest. Enable log file validation to have log digests delivered to your S3 bucket to verify the integrity of the logs and ensure they have not been modified after CloudTrail delivered them. 5. Configure CloudWatch Alarms for Security and Network related API Activity After creating the trail, a new window will open up listing your trail. Open the trail to configure CloudWatch Security and Network related alerts. Within the trail settings, click configure under the CloudWatch Logs. Page 5 of 7 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon CloudTrail Follow the prompt to configure the IAM role necessary for CloudWatch to work properly. In the trail settings, click the hyperlink ‘Create CloudWatch Alarms for Security and Network related API activity using CloudFormation template.’ This cloud formation template has predefined CloudWatch metric filters and alarms so that you receive email notifications when any security-related API calls are made. A few of these key metrics monitored with this template are:  S3 bucket policy, lifecycle, replication, or ACL changes  API calls that create update and delete security groups.  The creation, termination, start, stop, and reboot of EC2 instances.  Creating, deleting, and updating trails. The occurrence of starting and stopping logging for a trail.  Console login failures  Authorization failures 12.6 Summary • AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. • We can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of trails you create, and control how users view CloudTrail events • We can create two types of trails in an AWS account, one that applies to one region and other that applies to all region • CloudWatch metric filters and alarms so that you receive email notifications when any security-related API calls are made. • CloudTrail is one of these services that are commonly underused but fairly simple to set up and critical for security governance, detection, and incident response. Page 6 of 7 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon CloudTrail 12.7 Glossary • Governance: the action or manner of governing a state or organization • Complaince: the action of complying with a wish or command • Configure: arrange in a particular form or configuration • Retention: control of something 12.8 Reference • Amazon Referral Link: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html • Wikipedia Referral Link: https://en.wikipedia.org/wiki/Amazon_S3 Back to top Page 7 of 7 All Rights Reserved. Vol. TLE001/03-2022