CloudTrail

General Info¶

Use cases

Provides event history of AWS account activity (from Management Console, SDKs, CLI tools)
Records every API call (no RDP/SSH)
- A small number of services don't log to CloudTrail
- Trails by default don't include data events (including S3 object activity and Lambda execution)
- Records
  - API call metadata
  - identity of API caller
  - time of API call
  - source IP address of the API caller
  - request parameters
  - response elements returned by the service
  - eventSource: what service produced the event
Delivers log files to S3 and/or CloudWatch Logs

Enables

Characteristics

Delivered every 5 (actives) minutes with up to 15mins delay
Aggregation
- Can be aggregated across accounts
- Can be aggregated across regions
  - trails are regional, but you can create a global trail which creates identitical trails in all regions
  - limit of 5 trails per region
Integrations
- Can set up CloudWatch metric filters for certain events to trigger a CloudWatch Alarm
- Can enable SNS notifications for when a new log file is produced
Setup
- Enabled by default (contains events for the last 90 days)
- Without creating a trail, the event history shows 90 days but excludes various events (including all read events)


CloudTrail Log File Integrity	Validate if logs have been tampered with (modified or deleted) Uses digest files (create hash for each file) SHA-256 hashing SHA-256 with RSA for digital signing private key owned by Amazon Takes 1 hour to create a digest file (done on the hour every hour)
Stop unauthorized access	Use IAM policies and S3 bucket policies security team —> admin access auditors —> read only access Use SSE-S3/SSE-KMS to encrypt the logs
Prevent log files from being deleted	Restrict delete access with IAM and bucket policies Configure S3 MFA delete Validate with Log File Validation