CloudTrail
Description¶
- Provides event history of AWS account activity (from Management Console, SDKs, CLI tools)
- Records every API call (no RDP/SSH)
- CloudTrail is enabled at the creation of an AWS account
- Management events (past 90 days) are available in the
Event History
menu of AWS CloudTrail - A small number of services don't log to CloudTrail
- Trails by default don't include data events
- Enables
- Compliance/Auditability (do we comply with policies and regulations?)
- Near-realtime intrusion detection
- After-the-fact incident investigation
Events & Records¶
Event Type | Enabled | Type of activity | S3 Path | Delivery Time | CT Console (90 days) | API (90days) |
---|---|---|---|---|---|---|
Management | By default | API activity (control plane), service events, sign-in events | CloudTrail |
5mins |
Event History | LookupEvents |
Data | Require config in Trail |
|
CloudTrail |
15mins |
N/A | N/A |
Insights | Require config in Trail | “Meta-events”: unusual activity associated with write APIs | CloudTrail-Insight |
30mins |
Insights | LookupEvents (w/ EventCategory parameter) |
Event
= basic unit of activity reporting- Storage:
- Trails allow to store CloudTrail events in an S3 bucket in the form of log files
- Each log file is
gzip
compressed and contains 1+ JSON records
-
Fields of a recorded event:
- API call metadata
- Identity of API caller
- Time of API call
- Source IP address of the API caller
- Request parameters
- Response elements returned by the service
eventSource
: what service produced the event
W Description WHAT eventName
,requestParameters
,responseElements
,requestID
,eventType
,resources
WHO - Information about the principal and how it was authenticated
- For example
userIdentity
, which itself includes other attributes liketype
,principalID
,arn
, oraccountID
WHEN eventTime
WHERE eventSource
,awsRegion
,sourceIPAddress
,userAgent
,recipientAccountId
Context information about the event itself eventVersion
,eventType
,apiVersion
,managementEvent
,readOnly
CloudTrail Event
{ "Records": [ { "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AEIOUUEDLRTHJNMAUHIJK:ecs-service-scheduler", "arn": "arn:aws:sts::123456789012:assumed-role/AWSServiceRoleForECS/ecs-service-scheduler", "accountId": "123456789012", "accessKeyId": "AAMERICARTVPIMD4MYNOR", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AEIOUUEDLRTHJNMAUHIJK", "arn": "arn:aws:iam::123456789012:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS", "accountId": "123456789012", "userName": "AWSServiceRoleForECS" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-04-21T23:48:58Z" } }, "invokedBy": "ecs.amazonaws.com" }, "eventTime": "2020-04-21T23:58:57Z", "eventSource": "servicediscovery.amazonaws.com", "eventName": "GetInstancesHealthStatus", "awsRegion": "us-east-1", "sourceIPAddress": "ecs.amazonaws.com", "userAgent": "ecs.amazonaws.com", "requestParameters": { "serviceId": "srv-abcdef3nnytkte1f" }, "responseElements": null, "requestID": "8044381c-70ae-430b-af05-7a9d0290a525", "eventID": "656e695e-0532-48a5-9ed5-8ab94a3f4e76", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" } ] }
Characteristics¶
- Aggregation
- Can be aggregated across accounts
- Can be aggregated across regions
- Trails are regional, but you can create a multiregional trail
- Limit of 5 trails per region
- Integrations
- Can set up CloudWatch metric filters for certain events to trigger a CloudWatch Alarm
- Can enable SNS notifications for when a new log file is produced
- Setup
- Enabled by default (contains events for the last 90 days)
- Without creating a trail, the event history shows 90 days but excludes various events (including all read events)
Security¶
Encryption at rest |
|
CloudTrail Log File Integrity |
|
Stop unauthorized access |
|
Prevent log files from being deleted |
|
CloudTrail digest file header
{
"awsAccountId": "123456789012",
"digestStartTime": "2020-04-21T23:19:16Z",
"digestEndTime": "2020-04-22T00:19:16Z",
"digestS3Bucket": "cloudtrail",
"digestS3Object": "<path to current S3 object>.json.gz",
"digestPublicKeyFingerprint": "1234567890b5dc9467b26b16602a50ce",
"digestSignatureAlgorithm": "SHA256withRSA",
"newestEventTime": "2020-04-22T00:18:58Z",
"oldestEventTime": "2020-04-21T23:08:48Z",
"previousDigestS3Bucket": "cloudtrail",
"previousDigestS3Object": "<path to previous S3 object>.json.gz",
"previousDigestHashValue": "<hash value>",
"previousDigestHashAlgorithm": "SHA-256",
"previousDigestSignature": "<digest signature>",
"logFiles": [
...
]
}