How To Create A New Trail In AWS CloudTrail
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed how to filter CloudTrail events using API.
https://cloudaffaire.com/how-to-get-aws-cloudtrail-events-using-api/
In today’s blog post, we will discuss how to create a new trail in AWS CloudTrail using AWS CLI. You might be wondering why we need to create a new trail when we know that CloudTrail is enabled by default and captures all API activity. Well, creating a new trail has some benefits like you can record events beyond 90 days or send logs to CloudWatch logs for later analysis.
You can create a new trail with below scopes:
- Regional CloudTrail: When you create a trail that applies to one region, CloudTrail records the events in that region only. It then delivers the CloudTrail event log files to an Amazon S3 bucket that you specify.
- Global CloudTrail: When you create a trail that applies to all regions, CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket that you specify.
- Organizational CloudTrail: If you have created an organization in AWS Organizations, you can also create a trail that will log all events for all AWS accounts in that organization. This is referred to as an organization trail. Organization trails can apply to all AWS Regions or one Region.
How To Create A New Trail In AWS CloudTrail:
Prerequisites:
- AWS CLI installed and configured with proper access.
You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
How To Create A New Single Region Trail In AWS CloudTrail Using AWS CLI
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
## Create a S3 bucket to store CloudTrail Logs aws s3api create-bucket \ --bucket s3-for-cloudtrail-logs \ --region ap-south-1 \ --create-bucket-configuration LocationConstraint=ap-south-1 ## Create a bucket policy definition file cat <<'EOF'> bucket_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck20150319", "Effect": "Allow", "Principal": {"Service": "cloudtrail.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::s3-for-cloudtrail-logs" }, { "Sid": "AWSCloudTrailWrite20150319", "Effect": "Allow", "Principal": {"Service": "cloudtrail.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::s3-for-cloudtrail-logs/*", "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}} } ] } EOF ## Create a S3 bucket policy for CloudTrail aws s3api put-bucket-policy \ --bucket s3-for-cloudtrail-logs \ --policy file://bucket_policy.json ## Create a new regional trail aws cloudtrail create-trail \ --name Regulatory \ --s3-bucket-name s3-for-cloudtrail-logs \ --no-include-global-service-events \ --no-is-multi-region-trail \ --no-enable-log-file-validation ## Get Trail details aws cloudtrail describe-trails ## Get Trail status aws cloudtrail get-trail-status \ --name Regulatory |
Observe, Logging for the new trail that we just created is in disabled state. Next, we are going to enable logging for this new trails.
How To Start Logging Of Trail In AWS CloudTrail Using AWS CLI:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
## Start logging for the trail aws cloudtrail start-logging \ --name Regulatory ## Get Trail status aws cloudtrail get-trail-status \ --name Regulatory ## Check if any CloudTrail logs are dilivered to the S3 bcuket AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && aws s3api list-objects \ --bucket s3-for-cloudtrail-logs \ --prefix "AWSLogs/$AWS_ACCOUNT_ID/CloudTrail" ## CloudTrail typically delivers logs within an average of about 15 ## minutes of an API call. This time is not guaranteed. |
Next, we are going to update the Trail and make it Global (For all region)
How To Update Trail In AWS CloudTrail From Single Region To Multi-Region Using AWS CLI
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
## Update the trail to make it multi-region aws cloudtrail update-trail \ --name Regulatory \ --is-multi-region-trail \ --include-global-service-events ## Get Trail details aws cloudtrail describe-trails ## Check the CloudTrail Logs aws s3api list-objects \ --bucket s3-for-cloudtrail-logs \ --prefix "AWSLogs/$AWS_ACCOUNT_ID/CloudTrail" ## CloudTrail typically delivers logs within an average of about 15 ## minutes of an API call. This time is not guaranteed. |
Observe, as the logs are generated, you get a separate directory for each region in the path <se_bucket>/AWSLogs/<account_id>/CloudTrail/
Next, we are going to enable log file validation for our trail. Log file validation is used to determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it.
How To Enable Log File Validation For CloudTrail In AWS Using AWS CLI
|
1 2 3 4 5 6 7 |
## Enable Log file validation aws cloudtrail update-trail \ --name Regulatory \ --enable-log-file-validation ## Get Trail details aws cloudtrail describe-trails |
|
1 2 3 4 5 6 7 |
## Validate CloudTrail logs TRAILARN=$(aws cloudtrail describe-trails | jq -r .trailList[0].TrailARN) && STARTTIME=$(aws cloudtrail get-trail-status \ --name Regulatory | jq -r .TimeLoggingStarted) && aws cloudtrail validate-logs \ --trail-arn $TRAILARN \ --start-time $STARTTIME |
How To Stop Logging For CloudTrail Using AWS CLI
|
1 2 3 4 5 6 7 |
## Stop logging for your Trail aws cloudtrail stop-logging \ --name Regulatory ## Get Trail status aws cloudtrail get-trail-status \ --name Regulatory |
How To Convery Multi-Region Trail To Single-Region Trail Using AWS CLI
|
1 2 3 4 5 6 7 8 |
## Update the trail to make it single-region aws cloudtrail update-trail \ --name Regulatory \ --no-is-multi-region-trail \ --no-include-global-service-events ## Get Trail details aws cloudtrail describe-trails |
How To Delete Trail Using AWS CLI
|
1 2 3 4 5 6 7 |
## Delete the Trail aws cloudtrail delete-trail \ --name Regulatory ## Delete the S3 bucket with objects (CloudTrail Logs) aws s3 rb \ s3://s3-for-cloudtrail-logs --force |
Hope you have enjoyed this article. To know more about AWS CloudTrail, please refer below official documentation
https://docs.aws.amazon.com/cloudtrail/index.html