Open in app

Sign in

Write

Sign in

Bharathi Batthula
5 min readNov 28, 2020

--

AWS AUDITING, MONITORING AND NOTIFICATION SERVICES 2nd Part

AWS Cloud Trail

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account.

Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.

  • Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

CloudTrail is enabled on your AWS account when you create it. (but not cloud Trail Logging)

When activity occurs in your AWS account, that activity is recorded in a Cloud Trail event.

  • You can easily view events in the CloudTrail console by going to Event history.

Cloud Trail Benefits

You can identify:

  • Who or what took which action,
  • What resources were acted upon,
  • When the event occurred, and other details to help you analyze and respond to activity in your AWS account.

This can benefit in the following areas

  • Security

Visibility into your AWS account activity is a key aspect of security best practices.

  • Tracking changes in an AWS environment

You can use Cloud Trail to view, search, download, archive, analyze and respond to account activity across your AWS infrastructure.

Cloud Trail Event History and Trails

Event history allows you to view, search and sownload the past 90 days of activity in your account.

You can create a CloudTrail trail to archive, analyze and respond to change in your AWS resources

Cloud Trail logging, which is basically, sending the Cloud Trail events to a bucket is not enabled by default.

  • You need to create a Trail and define a bucket, then Cloud Trail will send events to this bucket, i.e will start logging the identified/selected events.

A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you specify.

You can deliver analyze events in a trail with Amazon CloudWatch Logs and CW Events.

You can create a trail with the CloudTrail console, the AWS CLI, or the CloudTrail API.

You can create 2 types of trails:

  • A trail that applies to all regions (Recommended by AWS)

When you create a trail that applies to all regions,

  • CloudTrail records events in each region and delivers the cloudTraul event log files to an S3 bucket that you specify.

This is effectively like creating the trail in each of these regions.

If a region is added after you create a trail that applies to all regions,

  • That new region is automatically included, and events in that region are logged.

This is default option when you create a trail in the cloud Trail console.

Advantages of All Regions Trails

A trail that applies to all regions has the following advantages:

  • The configuration settings for the trail apply consistently across all regions.
  • Receiving CloudTrail events from all regions in a single S3 bucket and, optionally in a CloudWatch Logs log group.
  • Managing trail configuration for all regions from one location.
  • Immediately receiving CloudTrail events from a new region when launched.
  • Ability to create trails in regions that you don’t use often to monitor for unusual activity.

Trail limits per Region

  • If you have different but related user groups, such as developers, security personnel, and IT auditors, you can create multiple trails per region.

This allows each group to receive its own copy of the log files.

  • CloudTrail supports five trails per region.

A trail that regions counts as one trail in every region.

Cloud Trail Event History and Trails

The second type of Trail you can create,

  • A trail that applies to one region

When you create a trail that applies to one region,

  • CloudTrail records the events in that region only.
  • It then delivers the CloudTrail event log files to an Amazon S3 bucket that you specify.

If you create additional single trails, you can have those trails deliver CloudTrail event log files to the same Amazon S3 bucket or to seperate buckets.

This is the default option when you create a trail using the AWS CLI or the CloudTrail API.

CloudTrail Events Logging

You can store your log files in your bucket for as long as you wnat.

  • You can also define Amazon S3 lifecycle rules to archieve or delete log files automatically.

CloudTrail typically delivers log files within 15 minutes of account activity.

  • In addition, Cloud Trail publishes log files multiple times an hour, about every five minutes.
  • These log files contain API calls services in the account that support CloudTrail.

CloudTrail Log File Integrity Validation- What is it

Is the ability of Amazon CloudTrail to determine whether a log file was modified, deleted, or unchanged after Cloud trail trail has delivered it to your S3 bucket.

This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital.

  • This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.

You can use the AWS CLI to validate the files in the location where CloudTrail delivered them.

Benefits of this feature:

  • Validated log files are invaluable in security and forensic investigations.
  • A validated log file enables you to assert positively that the log file itself has not changed, or
  • Whether a particular user credentials performed specific API activity.

Cloud Trail Log File Integrity Validation- How It Works:

When the validation feature is enabled

  • Cloud Trail creates a hash for every log file that it delivers.
  • Every hour. CloudTrail creates and delivers a file that reference the log files for the last hour and contains a hash of each.

*This file is called a digest file.

*Cloud Trail signs each digest file using the private key of a public and private key pair.

*After delivery, the public key can be used to validate the digest file.

*Cloud Trail uses different key pairs for each AWS region.

The digest files are delivered to the same Amazon S3 bucket associated with the trail as your CloudTrail log files.

Each digest file also contains the digit signature of the previous digest file if one exists.

The signature for the current digest file is in the metadata properties of the digest file Amazon S3 object.

If the log files are delivered from all regions or from multiple accounts into a single Amazon S3 bucket,

  • CloudTrail will deliver the digest files from those regions or from multiple accounts into a single Amazon S3 bucket
  • CloudTrail will deliver the digest files from those regions and accounts into the same bucket.
  • The digest files are put into a folder separate from the log files.

This separation of digest files and log files enables you to enforce granular security policies and permits existing long processing solutions to continue to operate without modification.

The CloudTrail log files and digest files stored in Amazon S3, you can use Amazon S3 MFA Delete protection.

AWS Management Console, APIs or CLI can be used to enable the feature.

Validating Log Files Integrity

To validate the integrity of Cloud Trail log files the AWS CLI or create 3rd party solution can be used.

The AWS CLI will validate files in the location where CloudTrail delivered them.

Validation for logs that have been moved to a different location, either in Amazon s3 or elsewhere,

  • Customers need to create their own validation tools.

I will continue with CloudWatch in next blog.

Bharathi.

--

--

Bharathi Batthula

Written by Bharathi Batthula

20 Followers

Bharathi is a self driven and purpose-oriented person.The main mission is to create profound change in her career. contact her on bharathi.batthula6@gmail.com

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams