Event Monitoring Using AWS CloudTrail

Amazon Web Services - Wikipedia

Introduction

If you are using cloud based services, it is evident and paramount to track events that have happened. Isn’t it?

Monitoring events in the cloud is important.

If you are using AWS, let’s assume you find that one autoscaling group in your AWS account is deleted. What will be your response?

How will you know who did it?

What is CloudTrail ?

In simple terms, AWS offers us a way to track all AWS Account activity using AWS CLOUDTRAIL. We store all API activity into S3 bucket. We can even send logs to CloudWatch using log group to set some alarms for important events.

Example:-

  1. When a root user has accessed AWS Account using console access.
  2. When a key-pair is created or deleted
  3. When a security group is created or deleted

Instead of aiming at definition we would prefer to show you.

Use Case

Let’s say you have set-up Cloudtrail. Now, how can we track event using AWS Console. We’ll discuss a few use cases to make you familiar with AWS CloudTrail events.

In AWS CloudTrail, Select Event History.

Figure 1: Event History

Now there are various methods to find events. Let’s discuss them.

Figure 2: Lookup Attributes while searching events.

Look up attributes

Lookup attributes allow us to search for events based on values for different scenarios. Based on Resource Type, Based on Event Name, Based on User etc.

Their are various lookup attributes :-

  1. AWS Access Key

If you want to find all events based on Access Keys i.e whatever events that have happened using particular access Keys.

Let’s say, my access keys were compromised, now how will I find what has been done on AWS using my Access Keys.

Figure 3: Here we have got all events. You can also choose a time-range

Event Name as evident defines Name of event, Event Time when this event occurred and Event Source which AWS service is called. This event was triggered after we executed the following command on our terminal using aws cli.

 aws ssm start-session --target i-04805989eeaef31a6

It is used to access instance directly and doesn’t need port 22 to be opened.

Let’s click on Event Name Start Session to discuss further.

Figure 4: Here you will find Event ID, Request ID, AWS Region and other details.
Figure 5 : Event Name StartSession

Here you can see requestParameters, it shows parameters which was passed to AWS SSM. In our case, it is target id [ instance-id ].

responseElements is response which was given by requested AWS service.

userAgent: It describes how this event was called. Here in figure 5, it tell us it was called using aws-cli. Other values are console.ec2.amazonaws.com when we are using console to perform any action.

2. Event Name

As we got a hint earlier event Name specifies Name of Event.

It is used when you want to search for particular event.

Someone Deleted a KeyPair. So you want to know who did it.

All DeleteKeyPair events that has happend in defined frame will appear.

Figure 6: Event Name DeleteKeyPair

So when you want to search for specific event we should use eventName. Isn’t it ?

3. Resource Type

When you want to see api events of part of specific AWS Service. Example:- All events related to instance [ Terminate, Start, Reboot, Stop ].

Example:-

Let’s say if I want to search for Instance Termination related events only. Then we will use eventName as TerminateInstances.

But when I want to see all events related to instance(Start, Stop, Reboot, Terminate, Run), we will use Resource Type as Lookup attribute. Searching for each event separately will be time consuming so we will use Resource type here.

Figure 7: Resource Type

4. UserName

All events related to specific user. When you want to check events executed by a specific user. It can be used to check events performed by your newly created user or user who has extra privileges.

Example:- I want to see all events of nishant user. So for, that we will use Username

Figure 8: Username Lookup Attribute

Cloudtrail Logging

You can set a log group and send logs to cloudtrail. Then you can create alarm for important events as well.

Example:- If their is any event related to CreateSecurityGroup. We can set alarm for that in Cloudwatch.

Alternatively,

When you set up Cloudtrail, it uses a S3 bucket where it will store all its events.

Now, we can also can ship these logs to Elasticsearch or any monitoring tool you are using.

You can use log shipper like Fluentd or Logstash and in input use s3 as plugin and point to that s3 bucket where we have Cloudtrail logs. So shipper will send logs to Elasticsearch. There you can visualize the data and set alert on it.

Example:- Whenever any RDS Instance is terminated or stopped you need to be notified.

Conclusion

AWS Cloudtrail is event tracking AWS Service. We figured out about it’s lookup attributes in Event History. i.e Username, AccessKeys and covered several use cases of Cloudtrail.

We can ingest these logs to monitoring tool you are using, or can send to cloudtrail and set alarms for important events.

In the next blog, we will discuss about AWS Config and how we can leverage from these two as a combined.

Thanks for reading this blog. If you have any feedback for us, please mention it in the comment section.

Image Reference

Blog Pundit: Abhishek Dubey

Opstree is an End to End DevOps solution provider

CONTACT US

Leave a Reply