CloudTrail
General Info¶
- Use cases
-
- Provides event history of AWS account activity (from Management Console, SDKs, CLI tools)
- Records every API call (no RDP/SSH)
- A small number of services don't log to CloudTrail
- Trails by default don't include data events (including S3 object activity and Lambda execution)
- Records
- API call metadata
- identity of API caller
- time of API call
- source IP address of the API caller
- request parameters
- response elements returned by the service
- eventSource: what service produced the event
- Delivers log files to S3 and/or CloudWatch Logs
- Enables
-
- Compliance/Auditability (do we comply with policies and regulations?)
- Near-realtime intrusion detection
- After-the-fact incident investigation
- Characteristics
-
- Delivered every 5 (actives) minutes with up to 15mins delay
- Aggregation
- Can be aggregated across accounts
- Can be aggregated across regions
- trails are regional, but you can create a global trail which creates identitical trails in all regions
- limit of 5 trails per region
- Integrations
- Can set up CloudWatch metric filters for certain events to trigger a CloudWatch Alarm
- Can enable SNS notifications for when a new log file is produced
- Setup
- Enabled by default (contains events for the last 90 days)
- Without creating a trail, the event history shows 90 days but excludes various events (including all read events)
Security¶
CloudTrail Log File Integrity |
|
Stop unauthorized access |
|
Prevent log files from being deleted |
|