CloudTrail is a service that is used to track user activity and API usage in AWS cloud. It enables auditing and governance of the AWS account. With it, you can monitor what is happening in your AWS account and continuously monitor them. It provides event history which tracks resource changes. You can also enable logging of all the event in S3 and analyze which another service like Athena or Cloudwatch.
In this tutorial, we are going to see the event history of your AWS account. Also, we are going to create a ‘trail’ and store the event in S3 and analyze them using Cloudwatch.
Event history
All read/write management events are logged by event history. It lets you view, filter, and download your recent AWS account activity over the past 90 days. You don’t need to set anything for it.
Using AWS console
Go to the service ‘CloudTrail’ and click on the dashboard. You can see the event name, time, and source. You can click on ‘View full Event history’ to get all the events.
On the detail page of Event history, you can apply a filter as your choice. To see all the events use Read-only and false as above.
Using AWS CLI
You can also use AWS CLI to look at the events. The following command shows the Terminated instance of your account.
# aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=TerminateInstances
Trails
Now, let’s create a trail that will log all the events of your account and store them in an S3 bucket.
On the left side, select Trails and click on ‘Create trail’
On the next page, give a trail name, choose to create a new S3 bucket, and give a bucket name. (If you have already a bucket, you can choose the existing s3 bucket also)
Scroll down the page and enable CloudWatch Logs. Create a log group and give a name. Also, Assign IAM role and give a name. Then, Click on next.
If you want to log all types of events, then click select options under the Events type section. We are just going with Management events. So, click on next.
Now, review your configuration and click on ‘Create Trail’.
You can also see the list of created trails with the help of following AWS command.
# aws cloudtrail list-trails
Use the following command to see all the events of the trail we created above.
# aws cloudtrail describe-trails --trail-name-list management-events
Analyze log in Cloudwatch
During creating CloudTrail we have defined to send the log to Cloudwatch. So, go to Cloudwatch service and click on ‘log group’.
By default, logs are kept indefinitely and never expire. Here, you can also apply the filter to get the desired output. For example, we are going to see all the running instances in the AWS account. To do this, use the filter ‘RunInstances’ as shown below. The output is shown in JSON format.
You can also use CLI to get all the log events. Run the following command to get all the events of the log group you defined above.
# aws logs filter-log-events --log-group-name aws-cloudtrail-logs-20201229
In this article, we see how to audit and find the activities in AWS account using CloudTrail. Thank you for reading.
Also Read: How to Create and Add EBS Volume in AWS Instance (EC2)
