CloudTrail

AWS CloudTrail logs all AWS API activity to S3, enabling governance, compliance and operational auditing through records of AWS account activity. It may also serve as a troubleshooting aid.

Concepts

• Trails allow configuration of retention in S3 buckets.
• Metric Filters filter messages based on properties of the JSON records.

Enabling

CloudTrail can be enabled either globally (recommended) or per-region. Enabling it globally allows you to monitor unexpected behaviour in regions you're not deploying infrastructure to.

Schema

CloudTrail events are recorded in a well-documented JSON format which has support in some external tools.

{
    "eventVersion": "1.04",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "",
        "arn": "",
        "accountId": "",
        "accessKeyId": "",
        "userName": "",
        "sessionContext": {
            "attributes": {
                "mfaAuthenticated": true,
                "creationDate": "2020-12-26T13:00:46Z"
            }
        },
        "invokedBy": "signin.amazonaws.com"
    },
    "eventTime": "",
    "eventSource": "",
    "eventName": "",
    "awsRegion": {},
    "sourceIPAddress": "",
    "userAgent": {},
    "requestParameters": {},
    "Resources": {}
}

Delivery to S3

CloudTrail logs can be delivered to S3 for long term retention. Objects will be delivered in 5-15 minute intervals and will contain GZIPped JSON streams. This is the cheapest means of retention, but can be clunky to query and alert on. Athena is likely the best option. for analysis.

Streaming to CloudWatch Logs

Streaming the logs to CloudWatch Logs allows near real-time ingestion, though it comes at an additional cost. This is easier to explore using Logs metric filters.

---

Backlinks

• ACM (public)
• GuardDuty (public)
• KMS (public)
• Macie (public)
• Sentinel (public)
• Logs (public)