Skip to content

CloudTrail

Description

  • Provides event history of AWS account activity (from Management Console, SDKs, CLI tools)
  • Records every API call (no RDP/SSH)
    • CloudTrail is enabled at the creation of an AWS account
    • Management events (past 90 days) are available in the Event History menu of AWS CloudTrail
    • A small number of services don't log to CloudTrail
    • Trails by default don't include data events
  • Enables
    • Compliance/Auditability (do we comply with policies and regulations?)
    • Near-realtime intrusion detection
    • After-the-fact incident investigation

Events & Records

Event Type Enabled Type of activity S3 Path Delivery Time CT Console (90 days) API (90days)
Management By default API activity (control plane), service events, sign-in events CloudTrail 5mins Event History LookupEvents
Data Require config in Trail
  • API activity (data plane)
  • For example: S3 PutObject/GetObject, Lambda Invoke
 CloudTrail 15mins N/A N/A
Insights Require config in Trail “Meta-events”: unusual activity associated with write APIs CloudTrail-Insight 30mins Insights LookupEvents (w/ EventCategory parameter)
  • Event = basic unit of activity reporting
  • Storage:
    • Trails allow to store CloudTrail events in an S3 bucket in the form of log files
    • Each log file is gzip compressed and contains 1+ JSON records

  • Fields of a recorded event:

    • API call metadata
    • Identity of API caller
    • Time of API call
    • Source IP address of the API caller
    • Request parameters
    • Response elements returned by the service
    • eventSource: what service produced the event
    W Description
    WHAT eventName, requestParameters, responseElements, requestID, eventType, resources
    WHO
    • Information about the principal and how it was authenticated
    • For example userIdentity, which itself includes other attributes like type, principalID, arn, or accountID
    WHEN eventTime
    WHERE eventSource, awsRegion, sourceIPAddress, userAgent, recipientAccountId
    Context information about the event itself eventVersion, eventType, apiVersion, managementEvent, readOnly
    CloudTrail Event 
    {
    "Records": [
        {
            "eventVersion": "1.05",
            "userIdentity": {
                "type": "AssumedRole",
                "principalId": "AEIOUUEDLRTHJNMAUHIJK:ecs-service-scheduler",
                "arn": "arn:aws:sts::123456789012:assumed-role/AWSServiceRoleForECS/ecs-service-scheduler",
                "accountId": "123456789012",
                "accessKeyId": "AAMERICARTVPIMD4MYNOR",
                "sessionContext": {
                    "sessionIssuer": {
                        "type": "Role",
                        "principalId": "AEIOUUEDLRTHJNMAUHIJK",
                        "arn": "arn:aws:iam::123456789012:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
                        "accountId": "123456789012",
                        "userName": "AWSServiceRoleForECS"
                    },
                    "webIdFederationData": {},
                    "attributes": {
                        "mfaAuthenticated": "false",
                        "creationDate": "2020-04-21T23:48:58Z"
                    }
                },
                "invokedBy": "ecs.amazonaws.com"
            },
            "eventTime": "2020-04-21T23:58:57Z",
            "eventSource": "servicediscovery.amazonaws.com",
            "eventName": "GetInstancesHealthStatus",
            "awsRegion": "us-east-1",
            "sourceIPAddress": "ecs.amazonaws.com",
            "userAgent": "ecs.amazonaws.com",
            "requestParameters": {
                "serviceId": "srv-abcdef3nnytkte1f"
            },
            "responseElements": null,
            "requestID": "8044381c-70ae-430b-af05-7a9d0290a525",
            "eventID": "656e695e-0532-48a5-9ed5-8ab94a3f4e76",
            "eventType": "AwsApiCall",
            "recipientAccountId": "123456789012"
        }
    ]
}

Characteristics

  • Aggregation
    • Can be aggregated across accounts
    • Can be aggregated across regions
      • Trails are regional, but you can create a multiregional trail
      • Limit of 5 trails per region
  • Integrations
    • Can set up CloudWatch metric filters for certain events to trigger a CloudWatch Alarm
    • Can enable SNS notifications for when a new log file is produced
  • Setup
    • Enabled by default (contains events for the last 90 days)
    • Without creating a trail, the event history shows 90 days but excludes various events (including all read events)

Security
Encryption at rest
  • By default, log files are encrypted using the Amazon S3 server-side encryption
  • You can choose to use your own KMS key
    • The key needs to be created in the same region as the bucket that contains the AWS CloudTrail log files
    • Key policy must allow the service to encrypt with it and also allow chosen principals in the AWS account to use it for decryption
CloudTrail Log File Integrity
  • Validate if logs have been tampered with (modified or deleted)
  • Uses digest files (create hash for each file)
    • SHA-256 hashing
    • SHA-256 with RSA for digital signing
    • private key owned by Amazon
  • Each digest file includes information about the previous digest file hash and signature, which establishes a sequential chain of digest files
  • Functioning:
    • CloudTrail calculates a 256-bit hash (using SHA-256) for every delivered log file
    • Each hour, CloudTrail builds a consolidated file that (digest file) contains a list (in JSON format) of each log file delivered in the previous hour and its corresponding SHA-256 calculated hash
    • CloudTrail calculates both the SHA-256 hash and the digital signature (using RSA with SHA-256) of the digest file, using a private key managed by the service
    • CloudTrail delivers the current hour's digest file as an object (to an S3 bucket), including its calculated digital signature, in the metadata (under the x-amz-meta-signature key)
Stop unauthorized access
  • Use IAM policies and S3 bucket policies
    • security team —> admin access
    • auditors —> read only access
  • Use SSE-S3/SSE-KMS to encrypt the logs
Prevent log files from being deleted
  • Restrict delete access with IAM and bucket policies
  • Configure S3 MFA delete
  • Validate with Log File Validation
CloudTrail digest file header 
{
    "awsAccountId": "123456789012",
    "digestStartTime": "2020-04-21T23:19:16Z",
    "digestEndTime": "2020-04-22T00:19:16Z",
    "digestS3Bucket": "cloudtrail",
    "digestS3Object": "<path to current S3 object>.json.gz",
    "digestPublicKeyFingerprint": "1234567890b5dc9467b26b16602a50ce",
    "digestSignatureAlgorithm": "SHA256withRSA",
    "newestEventTime": "2020-04-22T00:18:58Z",
    "oldestEventTime": "2020-04-21T23:08:48Z",
    "previousDigestS3Bucket": "cloudtrail",
    "previousDigestS3Object": "<path to previous S3 object>.json.gz",
    "previousDigestHashValue": "<hash value>",
    "previousDigestHashAlgorithm": "SHA-256",
    "previousDigestSignature": "<digest signature>",
    "logFiles": [
        ...
    ]
}