AWS CloudTrail is a powerful tool for monitoring account activity on your AWS account. You can use CloudTrail to see what activities are happening in your account, where they are happening, and when they are happening. You can also use CloudTrail to see who is using your AWS account and when. To use CloudTrail in your AWS account, you first need to create an Amazon Web Services Account. Then, you need to set up your environment and create a new Amazon Web Services instance. After you have created an instance and set up your environment, you can start using CloudTrail. To use CloudTrail in your AWS account, you first need to create an Amazon Web Services Account. Then, you need to set up your environment and create a new Amazon Web Services instance. After you have created an instance and set up your environment, you can start using CloudTrail. To use the following steps to get started with CloudTrail:
- Log into the Amazon Web Services console and click on the “Cloudtrails” tab at the top of the screen. This will take you to the “Cloudtrails” page of your new Amazon Web Services instance.
- On the “Cloudtrails” page of your new Amazon Web Services instance, click on “Create Account.” This will take you to the “Account Settings” page of your new Amazon Web Services instance. On this page, enter a name for your new AWS cloudtrail account and click on “Create.”
- On the “Account Settings” page of your new Amazon Web Services instance, enter a description for your cloudtrail account and click on “Create.” The description for your cloudtraillaccount should include information about how to use CloudTrail in order to monitor account activity on Your AWS account. For more information about how to use Cloud Trailing in Your AWS Account please see our article How To UseAWS
CloudTrail is an auditing, compliance monitoring, and governance tool designed to watch over your AWS account history and to keep detailed logs of all events. You can use this event history to simplify security analysis and to detect unusual activity in your account.
Using CloudTrail
You can use CloudTrail to monitor the last 90 days free of charge. However, if you want to keep extended logs, you need to pay for the associated S3 storage as well as a small fee per 100,000 events logged. Still, it’s relatively cheap, and it doesn’t hurt to get started with it.
CloudTrail automatically logs the last 90 days, so you’ll be able to head over to the CloudTrail Console and view the latest logs in your account. On the home screen, you’ll see the most recent events:
Under “Event History” in the sidebar, you’ll be able to view the full list of events, in chronological order.
This is a lot of data, so you’ll probably want to filter for just whatever you’re looking for. If you’re auditing specific employee accounts, you can filter by username or AWS access key, or other factors such as source IP address and resource types. You can also focus in on specific time ranges.
If you click on an event, you can view all the data collected for that event. Some are simple, like “ConsoleLogin,” which tracks login times for different users. Others are more specific, and will show more details about the underlying API action.
You can view the full JSON data for the event with the “View Event” button.
Creating a Trail
If you want to keep records for longer than 90 days, or keep extended logs for S3 and Lambda data events, you can create a Trail. Keep in mind that you will incur data charges for S3 log storage, as well as charges per 100,000 logged events.
From “Trails” in the sidebar, create a new trail. You have the option of using this trail for every region, as well as applying it to every account in an AWS Organization. You can also select which kinds of events to log, as well as enabling CloudTrail Insights for this trail.
The next section is “Data Events,” which can be used to keep extended logs on S3 buckets or Lambda functions. For S3, CloudTrail will log bucket-level operations, such as PutObject. For Lambda, CloudTrail will log any invocation of the given Lambda function. You can enable this for all buckets, or specify one by ARN.
Finally, you’ll need a new or existing bucket in which to keep the events. You can use this to keep track of how much data your trail is using.
Events logged by the trail will remain in the event history indefinitely. With a trail, you can activate CloudTrail Insights from the “Insights” tab in the sidebar:
This will take up to 36 hours to analyze your trail, and once it’s done, you’ll be able to browse through the findings.
If you want, you can also set up CloudTrail to send events to CloudWatch Logs, or use it with Elasticsearch for more detailed monitoring.