1.1 AWS CloudTrail Lab
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. To learn more about AWS CloudTrail view the AWS Cloudtrail documentation.
Create a Trail in CloudTrail
You can review the documentation on creating a Trail via the Console. We will highlight the steps below. By default CloudTrail retains 90 days worth of data, but for compliance, security, retention and analytics reasons it is recommended to create a trail that saves the data to Amazon Simple Storage Service (S3) or Amazon CloudWatch Logs. In this lab we will create a trail and push logs to both places.
- Search for the CloudTrail service under the “Management & Governance” section in the console and click on “Cloudtrail”.
- Click on “Getting Started” if presented with that screen. Once in the CloudTrail console, click on “Trails” on the left side of the screen.
- Then click on “Create trail”, to create our trail for this lab.
Apply the following settings and create the trail:
- Trail name: mgt312-workshop
- Apply trail to all regions: Yes
- Apply trail to my organization: No
- Management events
- Read/Write events: All
- Data events (provide insights into the resource operations)
- Check the box on “Select all S3 Buckets in your account”
- Click on the “Lambda” tab, and check the box “Log all current and future functions”
- Storage location
- Create a new S3 bucket: Yes
- S3 bucket: mgt312-workshop-(your_cell_number)
- We are using cell number at the end to ensure that we create a uniquie bucket per user. For more information on bucket restrictions and limitations review the AWS documenation.
- S3 bucket: mgt312-workshop-(your_cell_number)
- Create a new S3 bucket: Yes
- Click on “Create”
Lets setup our trail to send logs to CloudWatch so we can search through them a bit easier.
- Click back into the Trail, go to the “CloudWatch Logs” section and click on “Configure”
- In the “New or existing log group” box, type the name mgt312workshop/CloudTrail and then click “Continue”
- Next screen click “Allow”, this gives CloudTrail the ability to assume a role to write to CloudWatch Logs.
- Click back into the Trail, go to the “CloudWatch Logs” section and click on “Configure”
We now have a trail capturing activity in our AWS account. Later on, we will search through our trail after we have generated some activity.