How To Log Specific Events In CloudTrail Using Event Selector
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed how to create enable organization trail.
https://cloudaffaire.com/how-to-create-cloudtrail-in-aws-organization/
In today’s blog post, we will discuss how to log specific events in CloudTrail using Event Selector. Event selector give you full control over CloudTrail logging. You can specify which events to capture in CloudTrail using event selector. By default, trails created without specific event selectors are configured to log all read and write management events, and no data events. Event selector not only helps you to capture only the required data to debug but also reduces the overall cost as there are cost associated with CloudTrail data events.
How To Log Specific Events In CloudTrail Using Event Selector:
Prerequisites:
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Create S3 bucket and bucket policy for CloudTrail logging.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
## Create a S3 bucket to store CloudTrail Logs aws s3api create-bucket \ --bucket s3-for-cloudtrail-logs \ --region ap-south-1 \ --create-bucket-configuration LocationConstraint=ap-south-1 ## Create a bucket policy definition file cat <<'EOF'> bucket_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "AWSCloudTrailAclCheck20150319", "Effect": "Allow", "Principal": {"Service": "cloudtrail.amazonaws.com"}, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::s3-for-cloudtrail-logs" }, { "Sid": "AWSCloudTrailWrite20150319", "Effect": "Allow", "Principal": {"Service": "cloudtrail.amazonaws.com"}, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::s3-for-cloudtrail-logs/*", "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}} } ] } EOF ## Create a S3 bucket policy for CloudTrail aws s3api put-bucket-policy \ --bucket s3-for-cloudtrail-logs \ --policy file://bucket_policy.json |
Step 2: Create a new regional Trail
|
1 2 3 4 5 6 7 |
## Create a new regional trail aws cloudtrail create-trail \ --name RegionalTrail \ --s3-bucket-name s3-for-cloudtrail-logs \ --no-include-global-service-events \ --no-is-multi-region-trail \ --no-enable-log-file-validation |
Note: By default, when you create a new trail, it will log all management events and no data events. We can override this with an event selector which we are going to create next.
Step 3: Create a new advance event selector.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
## Create advance event selector definition cat <<'EOF'> event_selector.json [ { "Name": "Log PutObject and DeleteObject events for two S3 prefixes", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::Object"] }, { "Field": "eventName", "Equals": ["GetObject","PutObject","DeleteObject"] }, { "Field": "resources.ARN", "StartsWith": ["arn:aws:s3:::s3-for-cloudtrail-logs/myapp"] } ] } ] EOF ## Create new event selector for your trail aws cloudtrail put-event-selectors \ --trail-name RegionalTrail \ --advanced-event-selectors file://event_selector.json ## Get event selector details for your trail aws cloudtrail get-event-selectors \ --trail-name RegionalTrail |
Note: You can create up to 5 event selectors for your trail and once you created an event selector, you cannot update or modify it. In order to modify an event selector, you basically need to recreate your trail with the new event selector. In the above event selector, we are telling CloudTrail to capture only object level operations for a specific bucket and key. No other events (including management events) will be capture as a result of this.
Step 4: Start logging for your trail.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
## Start logging for the trail aws cloudtrail start-logging \ --name RegionalTrail ## Get Trail status aws cloudtrail get-trail-status \ --name RegionalTrail ## Check if any CloudTrail logs are dilivered to the S3 bcuket AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && aws s3api list-objects \ --bucket s3-for-cloudtrail-logs \ --prefix "AWSLogs/$AWS_ACCOUNT_ID/CloudTrail" ## CloudTrail typically delivers logs within an average of about 15 ## minutes of an API call. This time is not guaranteed. |
Observe, no logs will be generated even after 15 mins as we did not perform the required API call that matches the event selector yet, which we are going to do next.
Step 5: Perform some API action that matches the event selector criteria to log those events.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
## Put one object to specified location as mentioned in event selector echo "hello world" > object1.txt && aws s3api put-object \ --bucket s3-for-cloudtrail-logs \ --key myapp/object1.txt \ --body object1.txt ## Check if any CloudTrail logs are delivered to the S3 bcuket aws s3api list-objects \ --bucket s3-for-cloudtrail-logs \ --prefix "AWSLogs/$AWS_ACCOUNT_ID/CloudTrail" ## CloudTrail typically delivers logs within an average of about 15 ## minutes of an API call. This time is not guaranteed. |
Observe, now one new log has been generated as we put (PutObject) the object (object1.txt) to specific location (myapp/) in the bucket (s3-for-cloudtrail-logs) as defined in the event selector.
Below is the log for your reference –
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
{ "Records": [{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": " "arn": "arn:aws:iam:: "accountId": " "accessKeyId": " "userName": "debjeet" }, "eventTime": "2021-09-13T07:32:14Z", "eventSource": "s3.amazonaws.com", "eventName": "PutObject", "awsRegion": "ap-south-1", "sourceIPAddress": " "userAgent": "[aws-cli/1.20.36 Python/3.8.10 Linux/4.4.0-19041-Microsoft botocore/1.21.36]", "requestParameters": { "bucketName": "s3-for-cloudtrail-logs", "Host": "s3-for-cloudtrail-logs.s3.ap-south-1.amazonaws.com", "key": "myapp" }, "responseElements": null, "additionalEventData": { "SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 12.0, "AuthenticationMethod": "AuthHeader", "x-amz-id-2": " "bytesTransferredOut": 0.0 }, "requestID": "7DE236CB010A5PDB", "eventID": "fdfb4cec-94e7-447a-a3e7-868db697a879", "readOnly": false, "resources": [{ "type": "AWS::S3::Object", "ARN": "arn:aws:s3:::s3-for-cloudtrail-logs/myapp" }, { "accountId": " "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::s3-for-cloudtrail-logs" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": " "eventCategory": "Data" }, { "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": " "arn": "arn:aws:iam:: "accountId": " "accessKeyId": " "userName": "debjeet" }, "eventTime": "2021-09-13T07:34:30Z", "eventSource": "s3.amazonaws.com", "eventName": "PutObject", "awsRegion": "ap-south-1", "sourceIPAddress": " "userAgent": "[aws-cli/1.20.36 Python/3.8.10 Linux/4.4.0-19041-Microsoft botocore/1.21.36]", "requestParameters": { "bucketName": "s3-for-cloudtrail-logs", "Host": "s3-for-cloudtrail-logs.s3.ap-south-1.amazonaws.com", "key": "myapp/object1.txt" }, "responseElements": null, "additionalEventData": { "SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 12.0, "AuthenticationMethod": "AuthHeader", "x-amz-id-2": " "bytesTransferredOut": 0.0 }, "requestID": "KKWRD1FNXVPXNGR1", "eventID": "84050792-357e-4ae1-8d50-76a554bca89e", "readOnly": false, "resources": [{ "type": "AWS::S3::Object", "ARN": "arn:aws:s3:::s3-for-cloudtrail-logs/myapp/object1.txt" }, { "accountId": " "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::s3-for-cloudtrail-logs" }], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": " "eventCategory": "Data" }] } |
Step 6: Clean up.
|
1 2 3 4 5 6 7 8 9 10 11 |
## Stop logging for your Trail aws cloudtrail stop-logging \ --name RegionalTrail ## Delete the Trail aws cloudtrail delete-trail \ --name RegionalTrail ## Delete the S3 bucket with objects (CloudTrail Logs) aws s3 rb \ s3://s3-for-cloudtrail-logs --force |
Hope you have enjoyed this article. To know more about AWS CloudTrail, please refer below official documentation
https://docs.aws.amazon.com/cloudtrail/index.html