aws cloudtrail to track aws resources in your account (sec207) | aws re:invent 2013
DESCRIPTION
Customers using AWS resources such as EC2 instances, EC2 Security Groups and RDS instances would like to track changes made to such resources and who made those changes. In this session, customers will learn about gaining visibility into user activity in their account and aggregating logs across multiple accounts into a single bucket. Customers will also learn about how they can use the user activity logs to meet the logging guidelines/requirements of different compliance standards. AWS Advanced Technology Partners Splunk/Sumologic (exact partners TBD) will demonstrate applications for analyzing user activity within an AWS account.TRANSCRIPT
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Turn on AWS CloudTrail: Gain visibility into API activity in your account
Sivakanth Mundru
November 14, 2013
Agenda
• AWS customer feedback
• Introducing AWS CloudTrail • Demo: Turn on CloudTrail
• Information in a recorded API call & Partner Demos • Advanced Features • Q & A
You asked us to
• Record which users in your account made changes to your AWS resources such as EC2 instances, EC2 and VPC security groups, and more.
• Create an archive of all user activity to meet your internal and external compliance standards.
• Add the ability to view all user activity, i.e., API calls executed.
Introducing AWS CloudTrail
You are making API
calls...
On a growing set of
services around the
world..
CloudTrail is continuously recording API
calls…
And delivering log files to you…
Image Source: AWS
Use Cases Enabled by CloudTrail
• Security Analysis Use log files as an input into log management and analysis solutions to perform security
analysis and to detect user behavior patterns.
• Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2
instances, Amazon VPC security groups, and Amazon EBS volumes.
• Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment.
• Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.
What is AWS CloudTrail?
• CloudTrail records API calls in your account and delivers a log file to your S3 bucket.
• Typically, delivers an event within 15
minutes of the API call.
• Log files are delivered approximately every 5 minutes.
• Multiple partners offer integrated solutions to analyze log files.
Image Source: Jeff Barr
AWS Services Supported by CloudTrail
• Currently, records API calls made to these AWS services.
• Includes API calls made by higher-level AWS services such as AWS CloudFormation, AWS Elastic Beanstalk, and AWS OpsWorks
Amazon EC2
Amazon EBS Amazon VPC
Amazon RDS
AWS IAM
AWS STS(Security Token Service)
AWS CloudTrail
Amazon Redshift
What is NOT recorded?
• State transitions of AWS resources
Example: An EC2 instance transitioning from pending to a running state.
• Allowed or denied traffic information for VPC security groups and ACL’s.
• Successful and failed AWS Management Console sign-in events.
AWS CloudTrail Regional Availability
Image Source: Internet
• Available in us-east (Northern Virginia) and us-west (Oregon) regions today.
• You turn on CloudTrail on a per region basis. • Events for global services will be delivered in both regions.
Partner CloudTrail Solutions
Information in a recorded API call (JSON format)
• Who made the API call?
• When was the API call made?
• What was the API call?
• What were the resources that were acted up on in the API call?
• Where was the API call made from?
Who made the API call?
• Records detailed information for all AWS identity types Root user
IAM user
Federated user
Role
• Information includes Friendly user name
AWS AccessKeyId
12 digit AWS account number
Amazon Resource Name (ARN)
Session context and issuer information, if applicable
invokedBy section identifies the AWS service making request on behalf of the user
Who? Example 1: IAM user Bob making an API call
"userIdentity": {
"accessKeyId": "AKEXAMPLE123EJVA",
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:user/Bob",
"principalId": "AIEXAMPLE987ZKLALD3HS",
"type": "IAMUser",
"userName": "Bob"
}
Anonymized data
Who? Example 2: Federated user Alice making an API call
"userIdentity":{
"type":"FederatedUser",
"principalId":"123456789012:Alice",
"arn":"arn:aws:sts::123456789012:federated-user/Alice",
"accountId":"123456789012",
"accessKeyId":"ASEXAMPLE1234WTROX8F",
"sessionIssuer":{
"type":"IAMUser",
"accountId":"123456789012",
"userName": "Bob"
}
}
Anonymized data; Partial Output
Who? Example 3: AWS service calling on behalf of a user
Anonymized data
• Elastic Beanstalk creating AWS resources on behalf of IAM user Bob "userIdentity": { "accountId": "123456789012", "arn": "arn:aws:iam::123456789012:user/Bob", "invokedBy":"elasticbeanstalk.amazonaws.com", "principalId": "ASEXAMPLE123XWTROX8F ", "type": "IAMUser", "userName": "Bob" }
When was the API call made?
• Time and date of the event in ISO 8601 format • Unambiguous and well-defined method of representing date and
time
• AWS services sync all system clocks with centralized Network Time Protocol (NTP) servers
"eventTime": "2013-10-23T23:30:42Z"
What was the API call? What resources were acted up on?
• API call and the service the API call belongs to "eventName": "RunInstances" "eventSource": "EC2" • Request parameters provided by the requester and Response
elements returned by the AWS service
• Response elements for read-only API calls (Describe*, Get*, List*) are not recorded to prevent event size inflation
Where was the API call made from?
• Apparent IP address of the requester making the API call. • Records the apparent IP address of the requester when making
API calls from AWS Management Console. • AWS region to which the API call was made. Global services (Examples: IAM/STS) will be recorded as us-east-1. "sourceIPAddress": "54.234.127.135", "awsRegion": "us-east-1",
Errors and Authorization Failures • Detailed and Descriptive error codes and error messages, recorded
only when errors occur. Examples Client error code: TagLimitExceeded Server error code: Internal Error Authorization failure: UnauthorizedOperation
• Authorization Failure Example "eventName": "TerminateInstances", "errorCode": "UnauthorizedOperation", "errorMessage": "You are not authorized to perform this operation"
Regulatory standards aided by AWS CloudTrail
• Helps you meet the logging requirements specified in
• For more details, Please refer to "Security at Scale: Logging in AWS" whitepaper on AWS compliance website.
Image Source: AWS Compliance Website
FedRAMP: US government program for federal agencies
PCI Data Security Standard V1 (PCI DSS V1)
International Organization for Standardization (ISO) 27001 standard Service Organization for Controls 2 (SOC2)
• Optionally, CloudTrail will publish SNS notification of each new log file.
• Notifications contain the address of the log file delivered to your S3 bucket and allow you to take immediate action.
• Does not require you to continuously poll S3 to check whether new log files were delivered
• Multiple subscribers can subscribe to the same SNS topic and retrieve the log files for analysis.
SNS Notifications for log file delivery
• Default descriptive folder structure makes it easier to store log files from multiple accounts and regions in the same S3 bucket.
• Detailed log file name helps identify the contents of the log file, regardless of where they are stored.
• Unique identifier in the file name prevents overwriting log files.
Descriptive S3 folder structure and detailed log file name
• Create a bucket in the first region where you turn on CloudTrail. • Specify the same bucket as the destination in the second region.
• CloudTrail will deliver logs from multiple regions to the same bucket.
Aggregate logs from multiple regions into one S3 bucket
Aggregate log files from multiple accounts into one S3 bucket
Services
supported by
CloudTrail
Bucket “foo” in account 111111111111
1. Turn on CloudTrail for 111111111111
Services
supported by
CloudTrail
Account 222222222222
3. Turn on CloudTrail for 222222222222
Services
supported by
CloudTrail
Account 333333333333
4. Turn on CloudTrail for 333333333333
“arn:aws:s3:::foo/KBJInc/AWSLogs/222222222222/*”,
“arn:aws:s3:::foo/KBJInc/AWSLogs/333333333333/*”
2. Update “foo” bucket policy
How much does AWS CloudTrail cost?
• There are no charges for turning on CloudTrail for your account.
• Standard S3 and SNS charges will apply as per your usage.
Want to learn more about CloudTrail and Partners?
• Come meet the CloudTrail team (Deployment and Management Booth) and partners Partner Booth Relevant Session
2nd Watch #715 Nov 13, 3:00pm, Titian 2306: DMG209 - Enterprise Management for the AWS
AlertLogic #314 Nov 14, 4:15pm, Veronese 2504: SEC308 - Auto Scaling Web Application Security in AWS
Boundary #1020
Cognizant #500 Nov 14, 4:15 pm, Titian 2306: ENT222 - Enterprise Transformation through Cognizant’s XaaS fabric on AWS
Datapipe #713
Foghorn #530
Loggly #821 Nov 15, 1:30pm, Delfino 4003: ARC303 - Unmeltable Infrastructure at Scale: Using Apache Kafka, Twitter Storm, and Elastic Search on AWS
Smartronix #809
Splunk #925
Stackdriver #315 Nov 14, 3:00pm, Veronese 2504: ARC210- DevOps Nirvana:Seven Steps to a Peaceful Life on AWS
Sumologic #117 Nov 13, 3:00pm, San Polo 3501 A: BDT401 - Using AWS to Build a Scalable Big Machine Data Management and Processing Service
Thank you and Q&A
We are sincerely eager to hear
your feedback on this
presentation and on re:Invent.
SEC207
Please fill out an evaluation form
when you have a chance.