Monitoring events in the cloud is important.<\/p>\r\n\r\n\r\n\r\n
If you are using AWS, let’s assume you find that one autoscaling group in your AWS account<\/a> is deleted. What will be your response?<\/p>\r\n\r\n\r\n\r\n How will you know who did it?<\/p>\r\n\r\n\r\n\r\n <\/p>\r\n\r\n\r\n\r\n In simple terms, AWS offers us a way to track all AWS Account activity using AWS CloudTrail<\/strong><\/a>. We store all API activity into S3 bucket. We can even send logs to CloudWatch using log group to set some alarms for important events.<\/p>\r\n\r\n\r\n\r\n Example:-<\/p>\r\n\r\n\r\n\r\n Instead of aiming at definition we would prefer to show you.<\/p>\r\n\r\n\r\n\r\n Let’s say you have set-up Cloudtrail. Now, how can we track event using AWS Console<\/a>. We’ll discuss a few use cases to make you familiar with AWS CloudTrail events.<\/p>\r\n\r\n\r\n\r\n In AWS CloudTrail, Select Event History.<\/p>\r\n\r\n\r\n\r\n Now there are various methods to find events. Let’s discuss them.<\/p>\r\n\r\n\r\n\r\n Lookup attributes allow us to search for events based on values for different scenarios. Based on Resource Type, Based on Event Name, Based on User etc.<\/p>\r\n\r\n\r\n\r\n Their are various lookup attributes :-<\/p>\r\n\r\n\r\n\r\n If you want to find all events based on Access Keys i.e whatever events that have happened using particular access Keys.<\/p>\r\n\r\n\r\n\r\n Let’s say, my access keys were compromised, now how will I find what has been done on AWS using my Access Keys.<\/p>\r\n\r\n\r\n\r\n Event Name<\/strong> as evident defines Name of event, Event Time<\/strong> when this event occurred and Event Source <\/strong>which AWS service<\/a> is called. This event was triggered after we executed the following command on our terminal using aws cli.<\/p>\r\n\r\n\r\n\r\n It is used to access instance directly and doesn’t need port 22 to be opened.<\/p>\r\n\r\n\r\n\r\n Let’s click on Event Name Start Session<\/strong> to discuss further.<\/p>\r\n\r\n\r\n\r\n Here you can see requestParameters<\/strong>, it shows parameters which was passed to AWS SSM. In our case, it is target id [ instance-id ]<\/strong>.<\/p>\r\n\r\n\r\n\r\n responseElements<\/strong> is response which was given by requested AWS service.<\/p>\r\n\r\n\r\n\r\n userAgent<\/strong>: It describes how this event was called. Here in figure 5, it tell us it was called using aws-cli. Other values are console.ec2.amazonaws.com<\/strong> when we are using console to perform any action.<\/p>\r\n\r\n\r\n\r\n 2. Event Name<\/strong><\/p>\r\n\r\n\r\n\r\n As we got a hint earlier event Name specifies Name of Event<\/strong>.<\/p>\r\n\r\n\r\n\r\n It is used when you want to search for particular event.<\/p>\r\n\r\n\r\n\r\n Someone Deleted a KeyPair. So you want to know who did it.<\/p>\r\n\r\n\r\n\r\n All DeleteKeyPair events that has happend in defined frame will appear.<\/p>\r\n\r\n\r\n\r\n So when you want to search for specific event we should use eventName<\/strong>. Isn’t it ?<\/p>\r\n\r\n\r\n\r\n 3. Resource Type<\/strong><\/p>\r\n\r\n\r\n\r\n When you want to see api events of part of specific AWS Service. Example:- All events related to instance [ Terminate, Start, Reboot, Stop ].<\/p>\r\n\r\n\r\n\r\n Example:-<\/p>\r\n\r\n\r\n\r\n Let’s say if I want to search for Instance Termination related events only. Then we will use eventName as TerminateInstances.<\/p>\r\n\r\n\r\n\r\n But when I want to see all events related to instance(Start, Stop, Reboot, Terminate, Run), we will use Resource Type as Lookup attribute<\/strong>. Searching for each event separately will be time consuming so we will use Resource type<\/strong> here.<\/p>\r\n\r\n\r\n\r\n 4. UserName<\/strong><\/p>\r\n\r\n\r\n\r\n All events related to specific user. When you want to check events executed by a specific user. It can be used to check events performed by your newly created user or user who has extra privileges.<\/p>\r\n\r\n\r\n\r\n Example:- I want to see all events of nishant user. So for, that we will use Username<\/p>\r\n\r\n\r\n\r\n You can set a log group and send logs to cloudtrail. Then you can create alarm for important events as well.<\/p>\r\n\r\n\r\n\r\n Example:- If their is any event related to CreateSecurityGroup. We can set alarm for that in Cloudwatch.<\/p>\r\n\r\n\r\n\r\n Alternatively,<\/p>\r\n\r\n\r\n\r\n When you set up Cloudtrail, it uses a S3 bucket where it will store all its events.<\/p>\r\n\r\n\r\n\r\n Now, we can also can ship these logs to Elasticsearch or any monitoring tool you are using.<\/p>\r\n\r\n\r\n\r\n You can use log shipper like Fluentd or Logstash and in input use s3 as plugin<\/strong> and point to that s3 bucket<\/strong> <\/a>where we have Cloudtrail logs. So shipper will send logs to Elasticsearch. There you can visualize the data and set alert on it.<\/p>\r\n\r\n\r\n\r\n Example:- Whenever any RDS Instance is terminated or stopped you need to be notified.<\/p>\r\n\r\n\r\n\r\n AWS Cloudtrail is event tracking AWS Service. We figured out about it’s lookup attributes in Event History. i.e Username, AccessKeys and covered several use cases of Cloudtrail.<\/p>\r\n\r\n\r\n\r\n We can ingest these logs to monitoring tool you are using, or can send to cloudtrail and set alarms for important events.<\/p>\r\n\r\n\r\n\r\n In the next blog, we will discuss about AWS Config and how we can leverage from these two as a combined.<\/p>\r\n\r\n\r\n","protected":false},"excerpt":{"rendered":" Introduction If you are using cloud based services, it is evident and paramount to track events that have happened. Isn’t it? Monitoring events in the cloud is important. If you are using AWS, let’s assume you find that one autoscaling group in your AWS account is deleted. What will be your response? How will you … Continue reading “Event Monitoring Using AWS CloudTrail”<\/span><\/a><\/p>\n","protected":false},"author":194452061,"featured_media":29900,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[28070474],"tags":[768739294,679344221,200788596,768739308,304054034,5784,768739293,718261784],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/11\/DevSecOps-1.jpg","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pfDBOm-1zY","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/6074"}],"collection":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/users\/194452061"}],"replies":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/comments?post=6074"}],"version-history":[{"count":27,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/6074\/revisions"}],"predecessor-version":[{"id":29618,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/6074\/revisions\/29618"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media\/29900"}],"wp:attachment":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media?parent=6074"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/categories?post=6074"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/tags?post=6074"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}What is CloudTrail ?<\/h2>\r\n\r\n\r\n\r\n
\r\n
Use Case<\/h2>\r\n\r\n\r\n\r\n
![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/03\/image-11.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/03\/image-12.png?w=308\")
\r\nLook up attributes<\/h3>\r\n\r\n\r\n\r\n
\r\n
![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/05\/image-1.png?w=1024\")
\r\n aws ssm start-session --target i-04805989eeaef31a6<\/pre>\r\n\r\n\r\n\r\n
![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/05\/image-2.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/03\/image-16.png?w=874\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/04\/image-2.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/04\/image-3.png?w=1024\")
\r\n![\"\"](\"https:\/\/opstree.com\/blog\/\/wp-content\/uploads\/2021\/04\/image-10.png?w=1024\")
\r\n
See how a fintech platform cut AWS costs by 27%\u2014just by optimizing their databases.<\/a><\/figcaption>\r\n<\/figure>\r\n\r\n\r\n\r\nCloudtrail Logging<\/h2>\r\n\r\n\r\n\r\n
Conclusion<\/h2>\r\n\r\n\r\n\r\n