Skip to content

CloudTrail

General Info

Use cases
  • Provides event history of AWS account activity (from Management Console, SDKs, CLI tools)
  • Records every API call (no RDP/SSH)
    • A small number of services don't log to CloudTrail
    • Trails by default don't include data events (including S3 object activity and Lambda execution)
    • Records
      • API call metadata
      • identity of API caller
      • time of API call
      • source IP address of the API caller
      • request parameters
      • response elements returned by the service
      • eventSource: what service produced the event
  • Delivers log files to S3 and/or CloudWatch Logs
Enables
  • Compliance/Auditability (do we comply with policies and regulations?)
  • Near-realtime intrusion detection
  • After-the-fact incident investigation
Characteristics
  • Delivered every 5 (actives) minutes with up to 15mins delay
  • Aggregation
    • Can be aggregated across accounts
    • Can be aggregated across regions
      • trails are regional, but you can create a global trail which creates identitical trails in all regions
      • limit of 5 trails per region
  • Integrations
    • Can set up CloudWatch metric filters for certain events to trigger a CloudWatch Alarm
    • Can enable SNS notifications for when a new log file is produced
  • Setup
    • Enabled by default (contains events for the last 90 days)
    • Without creating a trail, the event history shows 90 days but excludes various events (including all read events)

Security

CloudTrail Log File Integrity
  • Validate if logs have been tampered with (modified or deleted)
  • Uses digest files (create hash for each file)
    • SHA-256 hashing
    • SHA-256 with RSA for digital signing
    • private key owned by Amazon
  • Takes 1 hour to create a digest file (done on the hour every hour)
Stop unauthorized access
  • Use IAM policies and S3 bucket policies
    • security team —> admin access
    • auditors —> read only access
  • Use SSE-S3/SSE-KMS to encrypt the logs
Prevent log files from being deleted
  • Restrict delete access with IAM and bucket policies
  • Configure S3 MFA delete
  • Validate with Log File Validation