With so many different AWS offerings, administrators need to keep an eye on how each service is functioning. Looking into events that occur in each service is cumbersome. Ideally, the events happening in multiple services should be logged and aggregated together in one place. That is exactly what CloudTrail does. It’s like a Walmart for AWS logs.
What is available at this AWS “Logmart”?
CloudTrail logs events happening in an AWS account as AWS API calls. It supports important services such as Amazon Simple Storage Service (S3), Elastic Compute Cloud (EC2), Identity and Access Management (IAM), Simple Notification Service (SNS), and Virtual Private Cloud (VPC).
The devil is in the details.
CloudTrail logs contain fields that help administrators identify anomalies in their AWS environment, including:
- eventName
Describes the action taken in the API. All changes made to an account have a prefix of Create*, Write*, etc.
- userIdentity
Displays who is behind the API activity and is crucial in identifying what has been compromised.
- sourceIPAddress
Lists DNS entries for AWS resources or forwards a relevant IP address when the AWS console is used.
For instance, if someone logs in to the console and makes a couple of changes, it won’t provide the IP address of the host the AWS console is running on, but instead the forwarded IP address of the browser accessing the console.
- userAgent
Lists the agent through which the request was made. This could be the AWS management console, AWS SDKs, AWS CLI, or an AWS service.
For example, “signin.amazonaws.com” denotes a request made by an IAM user with the AWS management console.
- awsRegion
Displays the region the request was made to.
- errorCode
Lists the specific AWS service error when a request returns an error.
For example:
Error: ServiceUnavailable
HTTP Status Code: 503
Error description: The request has failed due to a temporary failure of the server.
What can I do with these details?
The details from CloudTrail logs translate into valuable information, which can then be used to secure the AWS account. CloudTrail logs help address questions posed in everyday scenarios, such as:
▪ What actions did a user perform over a given period of time?
▪ What action was performed on a particular AWS resource and who performed it?
▪ What is the source IP address of a given activity?
▪ Which user activities failed due to inadequate permissions?
Your very own personal shopper.
CloudTrail logs can help you secure your AWS account on a daily basis. They can also help you investigate and identify the culprit in a security incident, making them a good companion for both IT and security administrators.
ManageEngine understands how helpful CloudTrail logs can be. That’s why Cloud Security Plus has been designed to make sure you get the most out of CloudTrail.
Cloud Security Plus acts like your very own personal shopper. It reads AWS CloudTrail logs directly from the AWS S3 bucket, then analyzes the collected CloudTrail data to provide comprehensive reports on activity happening in your AWS environment. Use Cloud Security Plus to search through AWS CloudTrail logs and generate alerts, ensuring your AWS account is secured and protected.
