AWS CloudTrail provides the ability to record all API calls and resource changes that helps to build preventative and detective security controls for your AWS environment. CloudTrail records the API requests with metadata in your environment and then sent them to AWS S3 to store these event logs. You can use these logs for Security Analysis and Compliance Monitoring.
A CloudTrail event is the record of activity in your AWS environment. For example, events can be like users creating/deleting a DynamoDB table, modifying the configuration of EC2, or any activity made through the AWS Management Console, etc.
There are 3 types of events:
- Management events – control plane (management and network) operations performed on the resources in your AWS environment, such as IAM role configuration, VPC network configuration, EC2 subnet creation/update, etc.
- Data events - data plane operations and are often high-volume activities. It is disabled by default. Data events charge an additional cost for logging.
- CloudTrail Insight events – Record unusual activity in your AWS environment such as excessive API calls in a short period. It is disabled by default. CloudTrail Insight events charge an additional cost for logging.
CloudWatch vs CloudTrail
Though both are monitoring services from AWS, they are used for different purposes. CloudWatch is used to log all events for AWS service and resources whereas CloudTrail is used to log all events inside your AWS environment.
CloudWatch is used to monitor:
- Performance and metrics of your AWS resource and application.
- User-defined logs in your application.
- CloudWatch events and you can automate actions based on these events.
- Alarms, where you can define thresholds for the resources. When the threshold reaches, the alarm will get triggered and you can define actions(like sending you a mail notification).
Whereas, CloudTrail is used to monitor:
- "Who" has performed "what" action in your AWS environment.
- "When" and "where" the action has been performed.
These two services when used together, will give you a robust monitoring solution provided by AWS.
CloudTrail Best Practices
You can consider below mentioned best practices while using the CloudTrail service. This list does not represent a complete cloud security solution, but you can refer to it when you are setting up your security solution for your organization.
- To get a complete record of events in your organization, configure CloudTrail on all Accounts and Regions.
- Set up different trails for different use cases.
- To monitor data plane events, consider enabling data events. By default it is disabled. It has an additional cost.
- Have a dedicated S3 bucket to store CloudTrail events log files with a security policy in place.
- Enable MFA delete and versioning on S3 bucket which stores CloudTrail events log files.
- Enable CloudTrail log files integrity validation.
- Enable encryption on CloudTrail log files in the S3 bucket.
- Use event selectors with data events. It will give you more control of your data events logs.
- When used with CloudWatch, you will get a robust monitoring solution provided by AWS.
- You can enable CloudTrail Insights. Insights automatically analyze management events and deliver the event to the S3 bucket whenever there is any unusual activity in your AWS environment. Then you can create a workflow to send notifications of these unusual events.
In this post, I have covered the basics of CloudTrail Concepts and how it can be used for Security analysis and compliance monitoring. You can use CloudWatch with CloudTrail to provide additional monitoring capabilities to your monitoring solution. Also, you can refer to some of the best practices mentioned in this post.
Want to leave a comment?
Join the discussion on Twitter.