AWS Certification : How to set up CloudTrail?

We have launched AWS Certified Solutions Architect Associate certification exam which is the basic level of AWS certifications. As part of training AWS certification topics, we have started writing important topics that are useful for preparing for the aws certification exams. In this articles, we are writing about AWS CloudTrail logs, these topics are part of the security in Amazon Web Services (AWS). Here is the snapshot of the exam blueprint.

Exam Objective

This topic addresses the Data Security topic as highlighted in the AWS Blueprint for the exam guide. Click here to view it.

What is Cloud Train in AWS and how to prepare for certification?

AWS CloudTrail is a service provided with AWS that helps organizations have a better tracking mechanism that helps them comply with security standards.

What is AWS CloudTrail?

AWS CloudTrail

In AWS, there is a security mechanism that allows one to record all the API calls made to AWS. By default, any action you perform in AWS, such as creating EC2 instances or databases or any other action in the end is done via an API call. So even if you go to the AWS console and create an EC2 instance from the dashboard, in the end everything is done via an API call.

So CloudTrail allows one to record all the calls being made to the AWS account. CloudTrail was designed with security compliance in mind. Mostly in many organizations, in order to comply with security compliance regulations, one needs to log all key interactions with systems. Some of the elements recorded by AWS CloudTrail are given below.

  • The identity of the person making the AWS API call
  • The time of the API call – This is known as event time. Here the date and time the request was made, in coordinated universal time.
  • The source IP Address of the API call
  • The request parameters for the API call
  • The elements in the response to the API call
  • The service making the call. This would be a short name for the service. So if it was EC2 that was the service, it would be ec2.amazonaws.com.
  • The region that made the call such us-east-1
  • The agent that made the call. The agent can be the AWS console or the CLI or a programming interface. So if it was the console then it would be console.amazonaws.com.
  • If there was an error in the request then the errorID and error message would also be included in the call.
  • The event type, whether it was a console event (Consolesignin event), an API call (AwsApiCall) or a service event (AwsServiceEvent).

Here is the official link from AWS that explains about the CloudTrail. Here is their definition:

CloudTrail in AWS

The CloudTrail Architecture

The below diagram from AWS documentation shows the architecture of AWS CloudTrail. Let’s go through each bit of the image below in a little more detail.

aws-article2-1

  • The API call – A user can make an API call via
    1. The AWS Console – Here a user can log in, utilize the aws services in the dashboard and work with them accordingly.
    2. The AWS CLI – This is the command line interface provided by AWS. Here also users can log in via the command prompt and fire commands against the various AWS services.
    3. The SDK – There are various software development kits available for languages such as .Net and Java. Even calls made through these programming languages can be tracked via CloudTrail.
  • All AWS services can be tracked via CloudTrail. So in the diagram you can see all the AWS services and all can be tracked via CloudTrail.
  • The logging of all calls will be done in S3. So when CloudTrail records a call, it can logged into a dedicated S3 bucket. You can have an optional SNS topic that can send notifications based on the log calls that are received.
  • And finally you can have the Log Analysis carried out for the information logged in the S3 bucket from various AWS partners. For the list of partners please visit this link

How do we set AWS CloudTrail?

Now let’s look in detail and the steps required to enable CloudTrail

Step 1: Log into your AWS Console. You will see CloudTrail under Management Tools.

AWS Console and CloudTrail Option

Step 2: Click on “Get Started Now”

Getting Started with CloudTrail

Step 3: In the next screen , you need to give a name to the trail , choose whether to apply the trail to all regions and provide the name of the new S3 bucket where this trail needs to be stored.

Enable CloudTrail Log Feature

You need to need to click on the Turn On button.

Once complete, you can see that the trail is enabled and the Logging status is set to true.

AWS CloudTrail Logs List in S3 Bucket

Step 4: Now perform some actions on AWS such as creating new instances or any other action as desired. Then go to the S3 bucket named “privatetrail”. This is the bucket we have mentioned when enabling CloudTrail.

Step 5: Now go to S3. In the privatetrail bucket you will now see a folder named “AWSLogs”. This is automatically created by CloudTrail.

CloudTrail Logs

Step 6: The drill down further to see the logs stored.

CloudTrail Logs details

Step 7: Click on the CloudTrail folder.

aws-article2-8

Step 8: You will now see a separate folder for each region.

CloudTrail Region List

Step 9: Drill down further in the desired region and you will see the logs are stored in a date wise folder format.

Logs Details for AWS Security

Step 10: You can then download the respective log file.

Download AWS CloudTrail logs

In the log file , you will have a JSON output of all the details of all API calls made.

{ 
   "Records":[ 
      { 
         "eventVersion":"1.05",
         "userIdentity":{ 
            "type":"Root",
            "principalId":"085363624145",
            "arn":"arn:aws:iam::085553624145:root",
            "accountId":"085363884145",
            "accessKeyId":"ASIAJBN375ELM5JEK3CQ",
            "sessionContext":{ 
               "attributes":{ 
                  "mfaAuthenticated":"false",
                  "creationDate":"2016-12-11T04:04:55Z"
               }
            }
         },
         "eventTime":"2016-12-11T04:06:50Z",
         "eventSource":"cloudtrail.amazonaws.com",
         "eventName":"DescribeTrails",
         "awsRegion":"ap-northeast-1",
         "sourceIPAddress":"86.99.46.215",
         "userAgent":"console.amazonaws.com",
         "requestParameters":{ 
            "trailNameList":[ 

            ]
         },
         "responseElements":null,
         "requestID":"3dc3c9ec-bf57-11e6-bc57-3b88036392cf",
         "eventID":"094bfabe-f597-4005-b7ca-86b19cb770fe",
         "eventType":"AwsApiCall",
         "recipientAccountId":"085363624145"
      }
   ]
}

You can actually see the useful following information

  • The IAM user who performed the action
  • The time of the event
  • The source of the event
  • The IP Address
  • The parameters and response of the event

Step 11: Even when you go back to your CloudTrail, you will be able to see the individual requests as events.

Log Requests

If you click on any event, you will see the details of the event, the same which you can see in the log file.

Log Request Event

Certification Points to Remember about CloudTrail

Here is the summary of key points that can be remembered for the certification preparation. You may encounter similar type of questions in the certification exam.

  1. You can apply cloud trail either to all regions or to specific regions.
  2. The API Activity recorded in Cloudtrail remains for 7 days.
  3. There are a list of services which CloudTrail can monitor , for the entire list of services please visit the link
  4. By default all logs are encrypted by server side encryption when stored in S3.
  5. All events are delivered to the S3 bucket every 5 minutes.
  6. You can also configure CloudTrail events from multiple accounts to send logs to one account. So suppose you had accounts A,B, C and D. You will then need to follow the below steps to ensure that logs are delivered to just one bucket.
    • First enable CloudTrail in one account say account A.
    • Update the bucket policy on your destination bucket to grant cross-account permissions to CloudTrail
    • Then enable CloudTrail in all other accounts and set the destination bucket to that in the bucket defined in account A.

Summary

I hope this article is very useful for you to understand the concepts behind CoudTrail for tracking the AWS account activity. Note that security is one of the important concepts that has to be prepared very well for passing the exam. We are going to write series of articles on the similar topics to teach you on how to use AWS with respect to prepare for the AWS certification exams like; AWS Certified Cloud Practitioner, AWS Certified Developer Associate, AWS Devops and more others.

Practice Questions

It is important to practice more number of questions for preparing for the solutions architect certification exam. We have prepared 300+ high quality questions that covers all the exam objectives and provides explanation for all the option given for the question. This would help you to improve our confidence on the exam before you are taking the real exam.

Technical Support

If you are looking for any technical support like more explanation on each questions or clarifications, we have a dedicated support for Amazon Web Services (AWS) to answer all your queries. You can drop us a mail at info@whizlabs.com with your queries. We would respond to your questions within 12 hours of time.

Good luck for your exam preparation!!

About Pavan Gumaste

Pavan Rao is a programmer / Developer by Profession and Cloud Computing Professional by choice with in-depth knowledge in AWS, Azure, Google Cloud Platform. He helps the organisation figure out what to build, ensure successful delivery, and incorporate user learning to improve the strategy and product further.

Leave a Comment

Your email address will not be published. Required fields are marked *


Scroll to Top