Getting Started With AWS CloudTrail
In today’s blog post, we will discuss how to get started with AWS CloudTrail. In today’s API driven world, its difficult to keep track of your what’s happening in your cloud landscape and debug if any issue occurs. Luckily for us, AWS provides a service named CloudTrail just for this purpose. You may wonder there is already a service named CloudWatch to monitor your AWS cloud landscape then why you need an additional service and what is the difference between CloudWatch and CloudTrail. CloudWatch you can use for monitoring and log analysis purpose, but CloudWatch does not records API actions. To monitor, track and debug API actions, you need to use CloudTrail service.
Getting Started With AWS CloudTrail:
What Is AWS CloudTrail?
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs. CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view events in the CloudTrail console by going to Event history.
Event history allows you to view, search, and download the past 90 days of activity in your AWS account. In addition, you can create a CloudTrail trail to archive, analyze, and respond to changes in your AWS resources. A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you specify. You can also deliver and analyze events in a trail with Amazon CloudWatch Logs and Amazon CloudWatch Events. You can create a trail with the CloudTrail console, the AWS CLI, or the CloudTrail API.
Key Concepts Of CloudTrail:
An event in CloudTrail is the record of an activity in an AWS account. This activity can be an action taken by a user, role, or service that is monitorable by CloudTrail. CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. There are three types of events that can be logged in CloudTrail: management events, data events, and CloudTrail Insights events. By default, trails log management events, but not data or Insights events.
- Management Events: Management events provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations. For example configuring security, configuring logging or registering a device generates a CloudTrail management event.
- Data Events: Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities. For example Amazon S3 object-level API activity or Lambda function execution generates CloudTrail data events.
- Insight Events: CloudTrail Insights events capture unusual activity in your AWS account. If you have Insights events enabled, and CloudTrail detects unusual activity, Insights events are logged to a different folder or prefix in the destination S3 bucket for your trail. Generally high volume API activity generates a CloudTrail insight event.
CloudTrail event history:
CloudTrail event history provides a viewable, searchable, and downloadable record of the past 90 days of CloudTrail events.
A trail is a configuration that enables delivery of CloudTrail events to an Amazon S3 bucket, CloudWatch Logs, and CloudWatch Events. You can use a trail to filter the CloudTrail events you want delivered, encrypt your CloudTrail event log files with an AWS KMS key, and set up Amazon SNS notifications for log file delivery. You can configure three types of trial:
- Regional CloudTrail: When you create a trail that applies to one region, CloudTrail records the events in that region only. It then delivers the CloudTrail event log files to an Amazon S3 bucket that you specify.
- Global CloudTrail: When you create a trail that applies to all regions, CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket that you specify.
- Organizational CloudTrail: If you have created an organization in AWS Organizations, you can also create a trail that will log all events for all AWS accounts in that organization. This is referred to as an organization trail. Organization trails can apply to all AWS Regions or one Region.
Next, let us explore AWS CloudTrail service a bit using AWS console. Though rest of the series on CloudTrail, we will use AWS CLI as AWS keeps changing the console looks and feature and screen shot of console may get irrelevant after certain time.
Login to your AWS console using below link
In the search box, type “CloudTrail” and click on the link.
Expand the left-hand side menu bar and click on “Event history”
Click on any events to view the event details
You can scroll down to view the entire event in json format.
There are different options available to filter, analyze and download event data.
Hope you have enjoyed this article. To know more about AWS CloudTrail, please refer below official documentation