© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Sivakanth Mundru, AWS CloudTrail

07-29-2015

Deep Dive: Troubleshooting Operational and Security issues in your AWS Account using CloudTrail

Agenda

CloudTrail Overview

Getting Started

CloudTrail Lookup

Receive email notifications of specific API activity

Partner solutions integrated with CloudTrail

Q & A

CloudTrail Overview

CloudTrail - Overview

Customers are making API calls...

On a growing set of services

around the world…

CloudTrail is continuously recording API

calls…

And delivering log files to customers

Use cases enabled by CloudTrail

• Security Analysis Use log files as an input into log management and analysis solutions to perform security

analysis and to detect user behavior patterns

• Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2

instances, Amazon VPC security groups and Amazon EBS volumes.

• Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment

• Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards

Security at Scale: Logging in AWS White Paper

What’s in a CloudTrail event?Who made the API call?

When was the API call made?

What was the API call?

What were the resources that were acted up on in the API call?

Where was the API call made from?

CloudTrail event reference

CloudTrail Availability and more

• Available in all AWS regions. This includes US GovCloud and Beijing, China regions

• Supports 42 AWS services

• Records API activity made using SDKs, CLI or the AWS console

• Typically, delivers log files containing events to your S3 bucket in less than 10 minutes

• Aggregate log files from multiple accounts into a single S3 bucket.

More on aggregating Log files across accounts and regions

Setting up S3 bucket policy for aggregation• Partial S3 bucket policy

"Action": "s3:PutObject", "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/myAccountID/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control"

} }

• If you have 3 accounts, add three lines that correspond to those three accounts to the bucket policy

"Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/111111111111/*","Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/222222222222/*","Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/333333333333/*"

Getting Started

Turn on CloudTrail using AWS CloudTrail Console

AWS CloudTrail Console Home

Turn on CloudTrail in all regions using AWS CLI# Create trails and start logging in all AWS standard regions with the AWS CLI and Linux.CLOUDTRAIL_S3_BUCKET=“yourbucket"PROFILE="timbuktu"REGION_FOR_GLOBAL_EVENTS="us-east-1"regionlist=($(aws ec2 describe-regions --query Regions[*].RegionName --output text))for region in ${regionlist[@]}doif[ $region = $REGION_FOR_GLOBAL_EVENTS ]thenaws --profile $PROFILE --region $region cloudtrail create-trail --name $region --s3-bucket-name $CLOUDTRAIL_S3_BUCKET --include-global-service-events --output tableaws --profile $PROFILE --region $region cloudtrail start-logging --name $region --output tableelseaws --profile $PROFILE --region $region cloudtrail create-trail --name $region --s3-bucket-name $CLOUDTRAIL_S3_BUCKET --no-include-global-service-events --output tableaws --profile $PROFILE --region $region cloudtrail start-logging --name $region --output tablefidone

CloudTrail CLI Demo

CloudTrail Lookup Events Feature

• Troubleshoot Operational and Security issues related to your AWS account

• Look up CloudTrail events related to creation, deletion and modification of AWS resources

• Look up events for the last 7 days

• Filter events using one of the six different filters• Time range• User name• Resource name• Resource type• Event name• Event ID

CloudTrail Lookup Events Feature

Demo: Look up CloudTrail events in the

console

AWS CloudTrail Console Home

Look up events using the AWS CLI • List all events for the last 7 daysaws cloudtrail lookup-events --output json

• List all events where user name is rootaws cloudtrail lookup-events --lookup-attributes AttributeKey=Username, AttributeValue=root --output=json

• List all events where the Resource type is EC2 Instanceaws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::EC2::Instance --output=json

Receive email notifications of specific API activity

Receive email notifications of specific API activity

Why?

• Monitor for any patterns in the CloudTrail events

• You want to take immediate action when specific events occur

What do you need to do?

• Configure CloudTrail events to be delivered to CloudWatch Logs

• Configure CloudWatch Alarms for specific events or API activity

Which events should I monitor for?

• Monitor security and network related eventsExamples: 1. Creation, deletion and modification of security groups and VPC’s2. Changes to IAM policies3. Failed console Sign-in events4. API calls that resulted in authorization failures • Monitor events related to specific resources or resource typesExamples1. Launching, terminating, stopping, starting and rebooting EC2

Instances2. Creating 4X or 8X large EC2 Instances

Configuring CloudWatch Alarms for CloudTrail events

• To get started, use the CloudFormation template that has 10 different pre-defined alarms, includes the examples in the previous slide

• CloudFormation template is available via CloudTrail documentation page

• Create 10 CloudWatch alarms to monitor API activity related to network and security events in less than 5 minutes

• Receive email notifications when those events occur in your AWS account

Demo: CloudTrail Integration with CloudWatch

How does the email notification look like?

Partner Solutions Integrated with CloudTrail

AWS Technology Partner solutions integrated with CloudTrail

AWS Consulting Partner solutions integrated with CloudTrail

Thank you!

Questions and Answers