AWS – AWS Cloudtrail


  • AWS CloudTrail monitor the AWS deployments in the cloud by getting a history of AWS API calls for particular user account.

CloudTrail integrates into applications using the API, automate trail creation for the organization, check the status of the trails, and control how administrators turn CloudTrail logging on and off.

AWS CloudTrail

  • AWS CloudTrail is used to get a history of AWS API calls and related events for your account.
  • This history includes calls made with the AWS Management Console, AWS Command Line Interface, AWS SDKs, and other AWS services.

AWS CloudTrail Working

  • AWS CloudTrail captures AWS API calls and related events made by or on behalf of an AWS account.
  • Then delivers these log files to an Amazon S3 bucket as user specify.
  • A trail is a configuration that enables logging of AWS API calls and related events in your account.

Users can create two types of trails

  • A trail that applies to all regions
  • A trail that applies to one region

For both types of trails, user can specify an S3 bucket from any region

  • Create a trail
  • Create and subscribe to an Amazon SNS
  • View your log files
  • Manage user permissions
  • Monitor events with CloudWatch Logs
  • Log management and data events
  • Enable log encryption
  • Enable log file integrity
  • Share log files with other AWS accounts
  • Aggregate logs from multiple accounts
  • Work with partner solutions

Create a trail

A trail enables CloudTrail to deliver log files to users Amazon S3 bucket.

By default, When users create a trail in the console, the trail applies to all regions.

The trail logs events from all regions in the AWS partition and delivers the log files to the S3 bucket that users specify.

Create and subscribe to an Amazon SNS

Subscribe to a topic to receive notifications about log file delivery to your bucket.

Amazon SNS can notify user in multiple ways, including programmatically with Amazon Simple Queue Service.

View your log files

Use Amazon S3 to retrieve log files.

After setting up CloudTrail to capture the log files  that user wants, then usec can able to find the log files and interpret the information they contain.

CloudTrail delivers the log files to an Amazon S3 bucket that is specified by the user when the trail is created.

Manage user permission

User can use AWS Identity and Access Management (IAM) to manage the permissions to create, configure, or delete trails; start and stop logging; and access buckets that have log files.

Monitor events with CloudWatch Logs

User can configure their own trail to send events to CloudWatch Logs.

User can then use CloudWatch Logs to monitor account for specific API calls and events.

If user configure a trail that applies to all regions to send events to a CloudWatch Logs log group, CloudTrail sends events from all regions to a single log group.

Enable log encryption

Log file encryption provides an extra layer of security for the log files.

By default, the log files delivered by CloudTrail to the bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3).

To provide a security layer that is directly manageable, user can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for user’s CloudTrail log files.

Enable log encryption

To use SSE-KMS with CloudTrail, first create and manage a KMS key, also known as a customer master key (CMK).

User attach a policy to the key that determines which users can use the key for encrypting and decrypting CloudTrail log files.

The decryption is seamless through S3.

Enable log file integrity

Log file integrity validation helps user to verify that log files have remained unchanged since CloudTrail delivered them.

This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing.

Share log files with other AWS account

Users can share their log files between accounts.

To share log files between multiple AWS accounts, the following general steps must be performed.

  • Create an IAM role for each account that you want to share log files with.
  • For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with.
  • Have an IAM user in each account programmatically assume the appropriate role and retrieve the log files.

Aggregate logs from multiple accounts

Users can aggregate log files from multiple accounts to a single bucket.

For example, user have four AWS accounts with account ID’s 111111111111, 222222222222, 333333333333, and 444444444444.

he/she wants to configure CloudTrail to deliver log files from all four of these accounts to a bucket belonging to account 111111111111.

Work with partner solutions

Analyzing the CloudTrail output with one of the partner solutions that is integrated with CloudTrail.

These solutions offer a broad set of capabilities, such as change tracking, troubleshooting, and security analysis.

What is Trail?

A trail is a configuration that enables logging of the AWS API activity and related events in user’s account.

CloudTrail delivers the logs to an Amazon S3 bucket that user specify, and optionally to a CloudWatch Logs log group.

Users can also specify an Amazon SNS topic that receives notifications of log file deliveries.

Management of CloudTrail

  • CloudTrail Console
  • CloudTrail CLI
  • CloudTrail APIs
  • AWS SDKs

AWS CloudTrail Concept

Controlling Access to the CloudTrail

AWS IAM is a web service that enables AWS customers to manage users and user permissions.

Users can use IAM to control the access to CloudTrail.

By creating individual IAM users for people accessing a single account,

Log Management and Data Event

When users create a trail, then user’s account trail logs read-only and write-only management events.

Users can update their trail to specify whether they want their trail to log data events.

Performing monitoring with CloudTrail

CloudWatch Logs and CloudTrail

Amazon CloudWatch is a web service that collects and tracks metrics to monitor AWS resources and the applications that run on AWS.

Amazon CloudWatch Logs is a feature of CloudWatch that users can use specifically to monitor log data.

How does cloudTrail behave Regionally and Globally?

A trail can be applied to all regions or a single region.

Best option is, create a trail that applies to all regions in the AWS partition in which you are working.

This is the default setting when user create a trail in the CloudTrail console.

Advantage of applying cloudTrail to all region

  • The configuration settings for the trail apply consistently across all regions.
  • User can receive log files from all regions in a single S3 bucket and optionally in a CloudWatch Logs log group.
  • User can manage trail configuration for all regions from one location.
  • User can immediately receive events from a new region, when a new region launches

What happen when trail is applied to all regions?

When user apply a trail to all regions, CloudTrail uses the trail that is created in a particular region to create trails with identical configuration in all other regions in user’s account.

This has the following effects:

  • CloudTrail delivers log files for API activity from all regions to the single Amazon S3 bucket that is specified by user, and optionally to a CloudWatch Logs log group.
  • If user configured an Amazon SNS topic for the trail, SNS notifications about log file deliveries in all regions are sent to that single SNS topic.
  • Global service events will be delivered from a single region to the specified S3 bucket and to CloudWatch Logs log group
  • If user enabled log file integrity validation, log file integrity validation is enabled in all regions for the trail.

Multiple trail per regions

If user in AWS  have different but related user groups such as developers, security personnel, and IT auditors etc.

Then user can create multiple trail per region. This allows each group to receive its own copy of the log files.

CloudTrail supports five trail per region.

A trail that applies to all regions counts as one trail in every region.

AWS security Token Service (AWS STS) and CloudTrail

AWS STS is a service that has a global endpoint and that also supports region-specific endpoints.

An endpoint is a URL that is the entry point for web service requests.

For example, is the US West (Oregon) regional entry point for the AWS CloudTrail service.

Regional endpoints help reduce latency in user applications.

When user use an AWS STS region-specific endpoint, the trail in that region delivers only the AWS STS events that occur in that region.

Global Service Events

For global services such as IAM, AWS STS, and Amazon CloudFront, events are delivered to any trail that includes global services.

To avoid receiving duplicate global service events, remember the following:

  • Global service events are delivered to trails that have the Apply trail to all regions option enabled. (Events are delivered from a single region to the bucket for the trail)
  • If user have a single region trail, he/she should include global services.
  • If user have multiple single region trails, he/she should enable global services in only one of the trails.
  • When user create or update a trail with the AWS CLI, AWS SDKs, or CloudTrail API, he/she can include or exclude global service events for trails.

How does CloudTrail relates to other AWS monitoring services?

CloudTrail adds another dimension to the monitoring capabilities already offered by AWS; it does not change or replace logging features user  already using such as  Amazon S3 or Amazon CloudFront subscriptions.

Amazon CloudWatch focuses on performance monitoring and system health; CloudTrail focuses on API activity.

AWS CloudTrail Supported Services

Cloudtrail support the following services:

  • Additional Software and services

AWS Marketplace: is an online store where user can buy or sell software that runs on AWS.

  • Analytics

Amazon Athena: is an interactive query service that makes it easy to analyze data directly in Amazon S3 using standard SQL.

AWS CloudTrail Supported Services

  • Analytics

Amazon CloudSearch

Amazon EMR

AWS Data Pipeline

Amazon Kinesis Firehose

Amazon Kinesis Streams

Amazon Quick Sight

  • Application Services

Amazon API Gateway

Amazon Elastic Transcoder

Amazon Elasticsearch Service

Amazon Simple Workflow Service

AWS Step Functions

  • Artificial Intelligence

Amazon Machine Learning: makes it easy for developers to build smart applications, including applications for fraud detection, demand forecasting, targeted marketing, and click prediction.

Amazon Polly: is a service that converts text into lifelike speech. Amazon Polly is used  to develop applications that increase engagement and accessibility.

  • Business Productivity

Amazon WorkDocs: is a fully managed enterprise storage and sharing service. Users files are stored in the cloud safely and securely.

  • Game Development

Amazon Game Lift is a fully managed service for deploying, operating, and scaling session-based multiplayer game servers in the cloud.

  • Compute

Application Auto Scaling: can automatically scale the AWS resources.

Auto Scaling: is a web service that enables the user to automatically launch or terminate Amazon Elastic Compute Cloud (Amazon EC2) instances based on user-defined policies, health status checks, and schedules.

Amazon EC2 Container Registry (Amazon ECR): is a secure and scalable managed AWS Docker registry service

Amazon EC2 Container Service (Amazon ECS): is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster of Amazon EC2 instances.

Elastic Beanstalk: is used to quickly deploy and manage applications in the AWS cloud without worrying about the infrastructure that runs those applications.

Amazon EC2 (Amazon EC2) provides resizable computing capacity in the AWS cloud.

Elastic Load Balancing: is used to automatically distribute user’s incoming application traffic across multiple Amazon EC2 instances.

AWS Lambda: is a zero-administration compute platform that runs their code in the AWS Cloud, providing the high availability, security, performance, and scalability of AWS infrastructure.

Amazon Lightsail helps developers quickly get started with virtual private servers.

  • Database

Amazon DynamoDB: is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability.

Amazon ElastiCache: is a web service that makes it easy to set up, manage, and scale distributed in-memory cache environments in the cloud.

Amazon Redshift: is a fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all data by using the existing business intelligence tools.

Amazon Relational Database Service (Amazon RDS): is a web service that makes it easier to set up, operate, and scale a relational database in the cloud.

  • Desktop and app streaming

Amazon WorkSpaces offers an easy way to provide a cloud-based desktop experience to your end-users.

  • Internet of Things

AWS IoT provides secure, bidirectional communication between Internet-connected things (such as sensors, actuators, embedded devices, or smart appliances) and the AWS cloud.

  • Developer tools

AWS CodeBuild: is a fully managed build service in the cloud. AWS CodeBuild compiles your source code, runs unit tests, and produces artifacts that are ready to deploy.

AWS CodeCommit: is a version control service hosted by AWS that is used to privately store and manage assets (such as documents, source code, and binary files) in the cloud.

  • Developer tools

AWS CodeDeploy: is a deployment service that enables developers to automate the deployment of applications to Amazon EC2 instances, and to update the applications as required.

AWS CodePipeline: is a continuous delivery and automation service hosted by Amazon Web Services that enables you to model, configure,  and automate the steps required to release the software.

  • Management Tools

AWS Application Discovery Service: helps to plan application migration projects by automatically identifying servers, virtual machines (VMs), software, and software dependencies running in user on-premises data centers.

AWS CloudFormation is used to create and provision AWS infrastructure deployments predictably and repeatedly.

AWS CloudTrail: is used to get a history of AWS API calls and related events for your account.

Amazon CloudWatch: monitors the user’s AWS resources and the applications that run on AWS.

Amazon CloudWatch Events: delivers a timely stream of system events that describe changes in AWS resources to AWS Lambda functions, streams in Amazon Kinesis Streams, Amazon SNS topics, or built-in targets.

Amazon CloudWatch Logs: monitors, stores, and accesses their log files from Amazon EC2 instances, AWS CloudTrail, and other sources.

AWS Config: provides a detailed view of the resources associated with user’s AWS account, including how they are configured, how they are related to one another, and how the configurations and their relationships have changed over time.

AWS Managed Services: provides ongoing management of  AWS infrastructure so user can focus on their applications. AWS Managed Services helps to reduce the operational overhead and risk.

AWS OpsWorks: provides a simple and flexible way to create and manage stacks and applications.

AWS OpsWorks for Chef Automate: is used to run a Chef Automate server in AWS. it is used to provision a Chef server within minutes, and let AWS OpsWorks Stacks to handle its operations, backups, restorations, and software upgrades.

AWS Service Catalog: allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures.

  • Messaging:

Amazon Simple Email Service: is an outbound-only email-sending service that provides an easy, cost-effective way for you to send email.

Amazon Simple Notification Service (Amazon SNS) is a web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients.

Amazon Simple Queue Service (Amazon SQS): offers reliable and scalable hosted queues for storing messages as they travel between computers.

  • Migration:

AWS Database Migration Service (AWS DMS): can migrate the user data to and from most widely used commercial and open-source databases such as Oracle, PostgreSQL, Microsoft SQL Server, Amazon Aurora, MariaDB, and MySQL.

AWS Server Migration Service (AWS SMS): automates the migration of on-premises VMware virtual machines to the AWS Cloud and Amazon EC2.

  • Mobile Services:

Amazon Cognito: is a service that is  used to create unique identities for users, authenticate these identities with identity providers, and save mobile user data in the AWS Cloud.

AWS Device Farm: is an app testing service that is used to test the Android and Fire OS apps on real, physical phones and tablets that are hosted by AWS.

  • Networking and Content Delivery:

Amazon CloudFront: speeds up distribution of user’s static and dynamic web content to end users.

AWS Direct Connect: is used to establish a direct connection from user’s premises to AWS. This may reduce user’s network costs and increase bandwidth throughput.

Amazon Route 53: is a Domain Name System (DNS) and domain name registration web service.

  • Networking and Content Delivery:

Amazon Virtual Private Cloud (Amazon VPC): is used to launch AWS resources into a virtual network that is defined by user.

  • Security, Identity and compliance:

AWS Security Manager: handles the complexity of provisioning, deploying, and managing certificates provided by ACM (ACM Certificates) for AWS-based user’s websites and applications.

Amazon Cloud Directory is a highly scalable, high performance, multi tenant directory service in the cloud.

AWS CloudHSM: provides secure cryptographic key storage to customers by making hardware security modules (HSMs) available in the AWS cloud.

  • Security, Identity and compliance:

AWS Directory Service: is a managed service that makes it easy for the user to connect their existing on-premises Microsoft Active Directory and deploy and manage Windows workloads in the AWS cloud.

AWS Identity and Access Management (IAM): is a web service that enables AWS customers to manage users and user permissions.

Amazon Inspector: is used to analyze the behavior of user’s AWS resources and helps them to identify potential security issues.

AWS Key Management Service: is a managed service is used to create and control the encryption keys to encrypt the data.

AWS Security Token Service (AWS STS): is used to grant a trusted user temporary, limited access to the user’s AWS resources.

AWS WAF: is a web application firewall that monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront and lets user to control access to their content.

  • Storage:

Amazon Elastic Block Store (Amazon EBS): allows the user to create persistent storage volumes and attach them to Amazon EC2 instances.

Amazon Elastic File System (Amazon EFS): is a file storage service for Amazon Elastic Compute Cloud (Amazon EC2) instances.

Amazon Glacier: is a storage service optimized for data archiving and backup of infrequently used data. The service is durable, extremely low-cost, and includes security features.

Amazon Simple Storage Service (Amazon S3): is used to store and retrieve any amount of data at any time, from anywhere on the web. CloudTrail logs are used together with Amazon S3 server access logs.

AWS Storage Gateway: is a service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between user’s on-premises IT environment and the AWS storage infrastructure in the cloud.

  • Support:

AWS Personal Health Dashboard: provides ongoing visibility into the state of user AWS resources, services, and accounts.

AWS Support: offers a range of plans that provide access to tools and expertise that support the success and operational health of  AWS solutions. All support plans provide 24×7 access to customer service, AWS documentation, whitepapers, and support forums.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s