© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

Turn on AWS CloudTrail: Gain visibility into API activity in your account

Sivakanth Mundru

November 14, 2013

Agenda

• AWS customer feedback

• Introducing AWS CloudTrail • Demo: Turn on CloudTrail

• Information in a recorded API call & Partner Demos • Advanced Features • Q & A

You asked us to

• Record which users in your account made changes to your AWS resources such as EC2 instances, EC2 and VPC security groups, and more.

• Create an archive of all user activity to meet your internal and external compliance standards.

• Add the ability to view all user activity, i.e., API calls executed.

Introducing AWS CloudTrail

You are making API

calls...

On a growing set of

services around the

world..

CloudTrail is continuously recording API

calls…

And delivering log files to you…

Image Source: AWS

Use Cases Enabled by CloudTrail

• Security Analysis Use log files as an input into log management and analysis solutions to perform security

analysis and to detect user behavior patterns.

• Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2

instances, Amazon VPC security groups, and Amazon EBS volumes.

• Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment.

• Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.

What is AWS CloudTrail?

• CloudTrail records API calls in your account and delivers a log file to your S3 bucket.

• Typically, delivers an event within 15

minutes of the API call.

• Log files are delivered approximately every 5 minutes.

• Multiple partners offer integrated solutions to analyze log files.

Image Source: Jeff Barr

AWS Services Supported by CloudTrail

• Currently, records API calls made to these AWS services.

• Includes API calls made by higher-level AWS services such as AWS CloudFormation, AWS Elastic Beanstalk, and AWS OpsWorks

Amazon EC2

Amazon EBS Amazon VPC

Amazon RDS

AWS IAM

AWS STS(Security Token Service)

AWS CloudTrail

Amazon Redshift

What is NOT recorded?

• State transitions of AWS resources

Example: An EC2 instance transitioning from pending to a running state.

• Allowed or denied traffic information for VPC security groups and ACL’s.

• Successful and failed AWS Management Console sign-in events.

AWS CloudTrail Regional Availability

Image Source: Internet

• Available in us-east (Northern Virginia) and us-west (Oregon) regions today.

• You turn on CloudTrail on a per region basis. • Events for global services will be delivered in both regions.

Partner CloudTrail Solutions

Information in a recorded API call (JSON format)

• Who made the API call?

• When was the API call made?

• What was the API call?

• What were the resources that were acted up on in the API call?

• Where was the API call made from?

Who made the API call?

• Records detailed information for all AWS identity types Root user

IAM user

Federated user

Role

• Information includes Friendly user name

AWS AccessKeyId

12 digit AWS account number

Amazon Resource Name (ARN)

Session context and issuer information, if applicable

invokedBy section identifies the AWS service making request on behalf of the user

Who? Example 1: IAM user Bob making an API call

"userIdentity": {

"accessKeyId": "AKEXAMPLE123EJVA",

"accountId": "123456789012",

"arn": "arn:aws:iam::123456789012:user/Bob",

"principalId": "AIEXAMPLE987ZKLALD3HS",

"type": "IAMUser",

"userName": "Bob"

}

Anonymized data

Who? Example 2: Federated user Alice making an API call

"userIdentity":{

"type":"FederatedUser",

"principalId":"123456789012:Alice",

"arn":"arn:aws:sts::123456789012:federated-user/Alice",

"accountId":"123456789012",

"accessKeyId":"ASEXAMPLE1234WTROX8F",

"sessionIssuer":{

"type":"IAMUser",

"accountId":"123456789012",

"userName": "Bob"

}

}

Anonymized data; Partial Output

Who? Example 3: AWS service calling on behalf of a user

Anonymized data

• Elastic Beanstalk creating AWS resources on behalf of IAM user Bob "userIdentity": { "accountId": "123456789012", "arn": "arn:aws:iam::123456789012:user/Bob", "invokedBy":"elasticbeanstalk.amazonaws.com", "principalId": "ASEXAMPLE123XWTROX8F ", "type": "IAMUser", "userName": "Bob" }

When was the API call made?

• Time and date of the event in ISO 8601 format • Unambiguous and well-defined method of representing date and

time

• AWS services sync all system clocks with centralized Network Time Protocol (NTP) servers

"eventTime": "2013-10-23T23:30:42Z"

What was the API call? What resources were acted up on?

• API call and the service the API call belongs to "eventName": "RunInstances" "eventSource": "EC2" • Request parameters provided by the requester and Response

elements returned by the AWS service

• Response elements for read-only API calls (Describe*, Get*, List*) are not recorded to prevent event size inflation

Where was the API call made from?

• Apparent IP address of the requester making the API call. • Records the apparent IP address of the requester when making

API calls from AWS Management Console. • AWS region to which the API call was made. Global services (Examples: IAM/STS) will be recorded as us-east-1. "sourceIPAddress": "54.234.127.135", "awsRegion": "us-east-1",

Errors and Authorization Failures • Detailed and Descriptive error codes and error messages, recorded

only when errors occur. Examples Client error code: TagLimitExceeded Server error code: Internal Error Authorization failure: UnauthorizedOperation

• Authorization Failure Example "eventName": "TerminateInstances", "errorCode": "UnauthorizedOperation", "errorMessage": "You are not authorized to perform this operation"

Regulatory standards aided by AWS CloudTrail

• Helps you meet the logging requirements specified in

• For more details, Please refer to "Security at Scale: Logging in AWS" whitepaper on AWS compliance website.

Image Source: AWS Compliance Website

FedRAMP: US government program for federal agencies

PCI Data Security Standard V1 (PCI DSS V1)

International Organization for Standardization (ISO) 27001 standard Service Organization for Controls 2 (SOC2)

• Optionally, CloudTrail will publish SNS notification of each new log file.

• Notifications contain the address of the log file delivered to your S3 bucket and allow you to take immediate action.

• Does not require you to continuously poll S3 to check whether new log files were delivered

• Multiple subscribers can subscribe to the same SNS topic and retrieve the log files for analysis.

SNS Notifications for log file delivery

• Default descriptive folder structure makes it easier to store log files from multiple accounts and regions in the same S3 bucket.

• Detailed log file name helps identify the contents of the log file, regardless of where they are stored.

• Unique identifier in the file name prevents overwriting log files.

Descriptive S3 folder structure and detailed log file name

• Create a bucket in the first region where you turn on CloudTrail. • Specify the same bucket as the destination in the second region.

• CloudTrail will deliver logs from multiple regions to the same bucket.

Aggregate logs from multiple regions into one S3 bucket

Aggregate log files from multiple accounts into one S3 bucket

Services

supported by

CloudTrail

Bucket “foo” in account 111111111111

1. Turn on CloudTrail for 111111111111

Services

supported by

CloudTrail

Account 222222222222

3. Turn on CloudTrail for 222222222222

Services

supported by

CloudTrail

Account 333333333333

4. Turn on CloudTrail for 333333333333

“arn:aws:s3:::foo/KBJInc/AWSLogs/222222222222/*”,

“arn:aws:s3:::foo/KBJInc/AWSLogs/333333333333/*”

2. Update “foo” bucket policy

How much does AWS CloudTrail cost?

• There are no charges for turning on CloudTrail for your account.

• Standard S3 and SNS charges will apply as per your usage.

Want to learn more about CloudTrail and Partners?

• Come meet the CloudTrail team (Deployment and Management Booth) and partners Partner Booth Relevant Session

2nd Watch #715 Nov 13, 3:00pm, Titian 2306: DMG209 - Enterprise Management for the AWS

AlertLogic #314 Nov 14, 4:15pm, Veronese 2504: SEC308 - Auto Scaling Web Application Security in AWS

Boundary #1020

Cognizant #500 Nov 14, 4:15 pm, Titian 2306: ENT222 - Enterprise Transformation through Cognizant’s XaaS fabric on AWS

Datapipe #713

Foghorn #530

Loggly #821 Nov 15, 1:30pm, Delfino 4003: ARC303 - Unmeltable Infrastructure at Scale: Using Apache Kafka, Twitter Storm, and Elastic Search on AWS

Smartronix #809

Splunk #925

Stackdriver #315 Nov 14, 3:00pm, Veronese 2504: ARC210- DevOps Nirvana:Seven Steps to a Peaceful Life on AWS

Sumologic #117 Nov 13, 3:00pm, San Polo 3501 A: BDT401 - Using AWS to Build a Scalable Big Machine Data Management and Processing Service

Thank you and Q&A

We are sincerely eager to hear

your feedback on this

presentation and on re:Invent.

SEC207

Please fill out an evaluation form

when you have a chance.