1. Home
  2. aws
  3. aws-cloud-trail

AWS CloudTrail

Thu, Jul 13, 2017

AWS CloudTrail provides visibility into user activity by recording API calls made on your account. AWS CloudTrail records important information about each API call, including the name of the API, the identity of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS service.

AWS Snowball
  • A service that logs all AWS API calls in your account
  • This information helps you to track changes made to your AWS resources and to troubleshoot operational issues. AWS CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.
  • CloudTrail tracking includes calls made by using the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation)
  • AWS CloudTrail captures AWS API calls and related events made by or on behalf of an AWS account and delivers log files to an specified S3 bucket.
  • Log files contain API calls from all of the account’s CloudTrail supported services
  • Log files from all the regions can be delivered to a single S3 bucket and are encrypted, by default, using S3 server-side encryption (SSE)
  • CloudTrail typically delivers log files within 15 minutes of an API call and publishes new log files multiple times an hour, usually about every 5 mins.
  • CloudTrail can be configured, optionally, to deliver events to a log group to be monitored by CloudWatch Logs.
  • Amazon SNS notifications can be configured to be sent each time a log file is delivered to your bucket.
  • A trail, which is a configuration, needs to be created that enables logging of the AWS API activity and related events in your account.
  • Trail can be created with CloudTrail console, AWS CLI, or CloudTrail API.
  • You can create two types of trails:
    • A Trail That Applies to All Regions
      • When a trail is created that applies to all regions, CloudTrail creates the same trail in each region, records the log files in each region, and delivers the log files to the specified single S3 bucket (and optionally to the CloudWatch Logs log group)
    • A Trail That Applies to One Region
      • A S3 bucket can be specified that receives events only from that region and it can be in any region that you specify.
      • Additional individual trails created that apply to specific regions, those trails can deliver event logs to a single S3 bucket.

AWS CloudTrail: Lab

AWS CloudTrail: Quiz

  • You currently operate a web application in the AWS US-East region. The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database. Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2, IAM and RDS resources. The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend?

    • Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles, S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. (Single New bucket with global services option for IAM and MFA delete for confidentiality)
    • Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs. (Missing Global Services for IAM)
    • Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected Use S3 ACLs and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. (Existing bucket prevents confidentiality)
    • Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs (3 buckets not needed, Missing Global services options)

  • Which of the following are true regarding AWS CloudTrail? Choose 3 answers

    • CloudTrail is enabled globally (it can be enabled for all regions and also per region basis)
    • CloudTrail is enabled by default (was not enabled by default, however, it is enabled by default as per the latest AWS enhancements)
    • CloudTrail is enabled on a per-region basis (it can be enabled for all regions and also per region basis)
    • CloudTrail is enabled on a per-service basis (once enabled it is applicable for all the supported services, service can’t be selected)
    • Logs can be delivered to a single Amazon S3 bucket for aggregation
    • CloudTrail is enabled for all available services within a region. (is enabled only for CloudTrail supported services)
    • Logs can only be processed and delivered to the region in which they are generated. (can be logged to bucket in any region)

  • An organization has configured the custom metric upload with CloudWatch. The organization has given permission to its employees to upload data using CLI as well SDK. How can the user track the calls made to CloudWatch?

    • The user can enable logging with CloudWatch which logs all the activities
    • Use CloudTrail to monitor the API calls
    • Create an IAM user and allow each user to log the data using the S3 bucket
    • Enable detailed monitoring with CloudWatch

  • A user is trying to understand the CloudWatch metrics for the AWS services. It is required that the user should first understand the namespace for the AWS services. Which of the below mentioned is not a valid namespace for the AWS services?

    • AWS/StorageGateway
    • AWS/CloudTrail (CloudWatch supported namespaces)
    • AWS/ElastiCache
    • AWS/SWF

  • Your CTO thinks your AWS account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated AWS engineers and doing everything they can to cover their tracks?

    • Use CloudTrail Log File Integrity Validation.
    • Use AWS Config SNS Subscriptions and process events in real time.
    • Use CloudTrail backed up to AWS S3 and Glacier.
    • Use AWS Config Timeline forensics.

  • Your CTO has asked you to make sure that you know what all users of your AWS account are doing to change resources at all times. She wants a report of who is doing what over time, reported to her once per week, for as broad a resource type group as possible. How should you do this?

    • Create a global AWS CloudTrail Trail. Configure a script to aggregate the log data delivered to S3 once per week and deliver this to the CTO.
    • Use CloudWatch Events Rules with an SNS topic subscribed to all AWS API calls. Subscribe the CTO to an email type delivery on this SNS Topic.
    • Use AWS IAM credential reports to deliver a CSV of all uses of IAM User Tokens over time to the CTO.
    • Use AWS Config with an SNS subscription on a Lambda, and insert these changes over time into a DynamoDB table. Generate reports based on the contents of this table.