(sec306) turn on cloudtrail: log api activity in your aws account | aws re:invent 2014
DESCRIPTION
Do you need to know who made an API call? What resources were acted upon in an API call? Do you need to find the source IP address of an API call? AWS CloudTrail helps you answer these questions. In this session we review the basics of CloudTrail and then dive into CloudTrail features. We demo solutions that you can use to analyze API activity recorded and delivered by CloudTrail. Join us if you are interested in security or compliance and how you can architect, build, and maintain compliant applications on AWS.TRANSCRIPT
November 13 2014 | Las Vegas, Nevada
Sivakanth Mundru, Amazon Web Services
Agenda
New
New
Introduction to CloudTrail
Customers are making API calls...
On a growing set of services
around the world…
CloudTrail is continuously
recording API calls…
And delivering log files to customers
Use cases enabled by CloudTrail
CloudTrail Regional Availability
AWS Services supported by CloudTrail
78
16
21
24
0
5
10
15
20
25
30
# o
f A
WS
Serv
ices
Quarter/Year
Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014
What can you answer using a CloudTrail event?
• Who
• When
• What
• Which
• Where
Who made the API call?
Example 1:Who?
Example 2:Who?
When? and What?
• When was the API call made?
• What was the API call made?
Which resources?, Where from? and Where to?• Which resources were acted up on in the API call?
• Where was the API call made from and made to?
Client Errors, Server Errors & Authorization failures
Aggregate log files across regions and accounts
Amazon SNS notifications for log file delivery
CloudTrail Customer Story
Steve Toback
Cloud Architect, Merck and Company
Build Applications that process CloudTrail log files
How does CloudTrail Processing Library work?
AWS
CloudTrail
Amazon
SNS
Amazon
SQS
S3 Bucket
Amazon DynamoDB
Amazon Redshift
Third Party
Amazon CloudWatch
Amazon SNS
AWS CloudTrail
Processing Library
Sample CloudTrail Processing Library Code public void process(List<CloudTrailEvent> events) {
for (CloudTrailEvent event : events) {CloudTrailEventData data = event.getEventData();if (data.getEventSource().equals("ec2.amazonaws.com") &&
data.getEventName().equals("ModifyVpcAttribute")) {System.out.println("Processing event: " + data.getRequestId());
sns.publish(myQueueArn, "{ " + "'requestId'= '" + data.getRequestId() + "'," + "'request' = '" + data.getRequestParameters() + "'," +"'response' = '" + data.getResponseElements() + "'," +"'source' = '" + data.getEventSource() + "'," +"'eventName'= '" + data.getEventName() + "'" +"}");
}}
}
• Source available on GitHub and distributed under Apache 2.0 license
AWS Technology Partner solutions integrated with CloudTrail
AWS Consulting Partner solutions integrated with CloudTrail
CloudTrail integration with CloudWatch Logs
Demo: Receive notifications for failed console sign-in events
More Examples of Metric Filters
Additional ResourcesCloudTrail Detail Page
CloudTrail FAQs
CloudTrail Partners
CloudTrail Processing Library on GitHub
CloudTrail documentation user guide
Security at scale: Logging in AWS white paper
