You are currently viewing How To Integrate CloudWatch With CloudTrail

How To Integrate CloudWatch With CloudTrail

How To Integrate CloudWatch With CloudTrail

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we have discussed how to enable insight events in CloudTrail.

https://cloudaffaire.com/how-to-enable-insight-events-in-aws-cloudtrail/

In today’s blog post, we will discuss how to integrate CloudWatch with CloudTrail. You might want to trigger something say a lambda function, a system manager document or any other automation based on a CloudTrail event. There are different ways to achieve that and today I will cover one such way. You can send your CloudTrail events to CloudWatch logs and once your event is in CloudWatch, it opens up endless possibility of automation.

But before that let us cover one basic thing first. Many of us wonders (especially when starting with AWS) why we need CloudTrail when we know there is a tool called CloudWatch where we can monitor our AWS infrastructure and what is the difference between CloudWatch and CloudTrail.

Difference Between CloudWatch And CloudTrail:

CloudWatch: CloudWatch is mainly used to monitor your AWS infrastructure. Using CloudWatch, you can have a detailed report on your resource utilization by AWS services. Store and analyse the logs generated by different AWS service. Create automation triggers based on certain events or threshold.

CloudTrail: CloudTrail on the other hand is an audit tool which keeps record of who does what and when in your AWS infrastructure. Using CloudTrail you get a detailed information in the form of event for all the API actions that were performed by anyone (humans) or anything (computers) on your AWS infrastructure.

How To Integrate CloudWatch With CloudTrail:

Prerequisites:

  • AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.

https://cloudaffaire.com/how-to-install-aws-cli/

https://cloudaffaire.com/how-to-configure-aws-cli/

Step 1: Create S3 bucket and bucket policy for CloudTrail logging.

Step 2: Create a new regional Trail

Step 3: Enable event selector for your Trail.

Note: This is not a prerequisite to integrate CloudTrail with CloudWatch. But without this filter, all the management events (lots of it) will be pushed to our CloudWatch logs which is not a problem, but for simplicity and cost I am limiting only data events and that too for only on specific bucket object operations.

Step 4: Create a new log group in CloudWatch to store CloudTrail events.

Step 5: Create IAM role and policy for CloudTrail to assume.

Now we are ready to update our Trail to send events to CloudWatch logs.

Step 6: Update CloudTrail trail to send events to CloudWatch logs and start CloudTrail logging.

Next, we are going to perform some API actions in our S3 bucket (mentioned in event selector definition: step 3) to generate CloudTrail events.

Step 7: Put an object in your S3 bucket to generate CloudTrail event.

Due to the above action, CloudTrail will generate new events and push to CloudWatch Logs and S3 bucket. Wait for 15 mins and then check the S3 bucket and CloudWatch Logs.

Step 8: Check CloudWatch Logs and S3 for CloudTrail events

We have successfully integrated CloudTrail with CloudWatch, which opens up endless possibility of automation. You can now create an event rule on CloudWatch logs or Create a CloudWatch Alarm on matrices using log event filters (Topic for another blog maybe 😊)

Step 9: Clean up.

Hope you have enjoyed this article. To know more about AWS CloudTrail, please refer below official documentation

https://docs.aws.amazon.com/cloudtrail/index.html