How To Enable Insight Events In AWS CloudTrail
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed how to create event selector for CloudTrail.
https://cloudaffaire.com/how-to-log-specific-events-in-cloudtrail-using-event-selector/
In today’s blog post, we will discuss how to enable insight events in AWS CloudTrail. CloudTrail Insights events capture unusual activity in your AWS account. If you have Insights events enabled, and CloudTrail detects unusual activity, Insights events are logged to a different folder or prefix in the destination S3 bucket for your trail. You can also see the type of insight and the incident time period when you view Insights events on the CloudTrail console.
Insights events provide relevant information, such as the associated API, incident time, and statistics, that help you understand and act on unusual activity. Unlike other types of events captured in a CloudTrail trail, Insights events are logged only when CloudTrail detects changes in your account’s API usage that differ significantly from the account’s typical usage patterns.
How To Enable Insight Events In AWS CloudTrail:
Prerequisites:
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Create S3 bucket and bucket policy for CloudTrail logging.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
## Create a S3 bucket to store CloudTrail Logs aws s3api create-bucket \ --bucket s3-for-cloudtrail-logs \ --region ap-south-1 \ --create-bucket-configuration LocationConstraint=ap-south-1 ## Create a bucket policy definition file cat <<'EOF'> bucket_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck20150319", "Effect": "Allow", "Principal": {"Service": "cloudtrail.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::s3-for-cloudtrail-logs" }, { "Sid": "AWSCloudTrailWrite20150319", "Effect": "Allow", "Principal": {"Service": "cloudtrail.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::s3-for-cloudtrail-logs/*", "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}} } ] } EOF ## Create a S3 bucket policy for CloudTrail aws s3api put-bucket-policy \ --bucket s3-for-cloudtrail-logs \ --policy file://bucket_policy.json |
Step 2: Create a new regional Trail
|
1 2 3 4 5 6 7 |
## Create a new regional trail aws cloudtrail create-trail \ --name RegionalTrail \ --s3-bucket-name s3-for-cloudtrail-logs \ --no-include-global-service-events \ --no-is-multi-region-trail \ --no-enable-log-file-validation |
Step 3: Enable insight events for your Trail.
|
1 2 3 4 5 6 7 8 |
## Create new insight selector for your trail aws cloudtrail put-insight-selectors \ --trail-name RegionalTrail \ --insight-selectors '[{"InsightType": "ApiCallRateInsight"}]' ## Get insight selector details for your trail aws cloudtrail get-insight-selectors \ --trail-name RegionalTrail |
Note: AWS has only released ApiCallRateInsight insight event at this moment which detect change of rate in API call to your AWS landscape. Maybe in future AWS will release more insight types, please go through the official document for updates.
Note: It might take up to 36 hours to generate insights for your trail hence not able to show you the actual insight generated if any. If you perform lots of API action on that bucket all of a sudden a new insight will be generated.
Step 4: Clean up.
|
1 2 3 4 5 6 7 8 9 10 11 |
## Stop logging for your Trail aws cloudtrail stop-logging \ --name RegionalTrail ## Delete the Trail aws cloudtrail delete-trail \ --name RegionalTrail ## Delete the S3 bucket with objects (CloudTrail Logs) aws s3 rb \ s3://s3-for-cloudtrail-logs --force |
Hope you have enjoyed this article. To know more about AWS CloudTrail, please refer below official documentation
https://docs.aws.amazon.com/cloudtrail/index.html