AWS CloudTrail: Features of the AWS Audit Logging Tool
Understanding the features of the AWS Audit Logging Tool, which allows for users to analyze the security status of their systems and troubleshoot issues.
Join the DZone community and get the full member experience.Join For Free
CloudTrail is an AWS service that keeps records of activities taken by users, roles, or services. Audit logs may be from the AWS Management Console, AWS SDKs, command-line tools, or AWS services. Combined, the features of CloudTrail allow you to know when and how your AWS setup is being used. It provides an automatic way to track the event history of all your AWS accounts in a single location.
These logs allow for users to analyze the security status of their system, detect nefarious activity, track resource usage, and troubleshoot performance and maintenance issues. You can use built-in features to analyze the results and produce alarms when unexpected behavior is observed. You can also configure CloudTrail to send important information to other AWS services allowing users to set up their own analysis using tools such as ELK.
Logging Management Events and Data Events
Management events provide logging for control plane operations performed on AWS resources. This includes the creation, deletion, and modification of different AWS assets like EC2 instances or S3 buckets. Data events provide logging for data plane operations performed within created AWS resources. These data events are often higher volume than management events since they include ongoing actions on resources like API actions on existing S3 objects or buckets. In both cases, CloudTrail logs include detailed information about events including the AWS account of the resource, the ARN of the resource acted upon, the IAM role used to access the resource, the IP address of the caller, and the time at which the action occurred. See the AWS documentation for a complete list of included parameters in the CloudTrail body.
CloudTrail is Always On
Without any configuration from the user, CloudTrail will automatically record management events for AWS accounts. Without further configuration, logs are not viewable after 90 days. Logs are viewable and downloadable in the CloudTrail console or the AWS CLI. You can also search, archive, analyze, and respond to account activity without turning on any trails. This default activity recording is free in AWS.
Activate a Trail for S3 Storage
A trail must be created to keep an ongoing record of events in an AWS account. When enabled, trails allow CloudTrail to deliver the logs to an S3 bucket. Events from all regions are delivered to an S3 bucket configured by the user. Other AWS services that can be logged with CloudTrail may also be added to a trail and logged in S3. A trail may also be set up for an organization so all AWS accounts logs can be analyzed from the same S3 bucket giving a uniform strategy for the entire organization. Once the event logs exist in S3, other AWS services may be used to analyze the data.
When trails are activated, the CloudTrail service for management logs is still free in AWS. However, there are typical S3 costs associated with the storage of the logs.
Log Integrity and Encryption
All S3 log files are encrypted by default using S3 server-side encryption. You can further enhance security by encrypting the S3 logs using an AWS KMS key. Logs are only decrypted for uses and services with decryption permissions. These permissions can be configured using AWS IAM.
To further enhance security features, AWS gives the option of turning on CloudTrail log file integrity validation. The feature uses SHA-256 for hashing and SHA-256 with RA for signing, effectively blocking untracked modifications, deletions, or creations without leaving a trace.
CloudTrail uses models to determine what normal levels of write API calls are for your account based on the baseline volume of calls. Baselines are calculated over the seven days preceding any event. When the behavior is found outside the norm for your account, insights are delivered to a separate folder in your chosen S3 bucket within the /CloudTrail-Insight Folder. Alternatively, you can see insights into the CloudTrail console. The console also has a graphical view to easily see your API call rates over time. The Insight events can also be sent to CloudWatch using rules. Having Insights in CloudWatch means you can also configure alarms in CloudWatch to ensure you are notified for all or specific Insight events.
Insights work by analyzing write API events in single regions. While your CloudTrail Insights will log to the same S3 bucket for all regions, this feature allows you to understand the health of APIs deployed in each region of your design supports. Once you set up Insights, the system will take up to 36 hours to deliver the first Insight. Logs are only generated when unusual behavior is detected, so it may be longer before you see any Insights logged.
CloudTrail Insights are not enabled by default and need to be configured by the user. Extra charges do apply for this feature.
Integration with Lambda
AWS S3 includes event notifications that allow you to direct created or deleted S3 objects to Lambda. When a trail is activated and writes an event to your S3 bucket, the action can trigger a Lambda to process the event. Using this flow, users can customize the analysis, storage, and display of CloudTrail events. Standard charges apply for Lambda usage and for S3 event notifications.
Integration with CloudWatch
CloudTrail can optionally send events directly to AWS CloudWatch for logging. Within CloudWatch you can view, search, and filter CloudTrail events. Further, setting up CloudWatch alarms or subscriptions can help further process the CloudTrail event data.
Alarms are a feature available in CloudWatch to notify AWS users in response to certain events. Before creating an alarm, a metric filter is created to track which events should trigger the notification. This could be a CloudTrail event that must be tracked in real-time or a CloudTrail Insight event.
Metric alarms work on a single CloudWatch metric and can trigger an action in EC2, trigger an Auto Scaling action, or send a notification to an SNS topic. Composite alarms allow users to set rules that combine multiple metric alarms, but composite alarms can only send notifications to SNS topics.
The cost of CloudWatch alarms is based on how many metrics are sent. The price per metric decreases as the volume of metrics sent increases. Details on the CloudWatch and metric pricing can be found on the AWS webpage.
Configuring CloudWatch subscriptions allows logs to stream to multiple AWS services in near real-time. AWS services that could be configured include Kinesis, Lambda or AWS Elasticsearch. While lambdas may be called directly from CloudTrail without going through CloudWatch, configuring Kinesis or AWS Elasticsearch subscriptions may be more useful in some cases especially if the data will be used for complex aggregations, analytics, or machine learning.
Typical costs apply for these external services. Since CloudTrail may provide a significant number of real-time logs, users might consider using outside services rather than the AWS Elasticsearch service. Analysis has shown how scaling in outside services can reduce costs over internal AWS services in some situations.
Opinions expressed by DZone contributors are their own.