Lesson 2 of 19
In Progress

What is CloudTrail?

Christophe November 5, 2023

Welcome to Cybr’s Getting Started with CloudTrail course! To get things started, let’s talk about what this service offers, and why it’s so important to understand.

What is AWS CloudTrail?

With CloudTrail, you can view, search, download, archive, analyze, and respond to account activity across either a single Region in your account, multiple Regions, or even multiple accounts.

It can be configured to collect logs from multiple sources, giving you a complete history of events and API calls made within your AWS account by these sources:

  • Console
  • SDK
  • CLI
  • AWS Services

This includes AWS API calls, and some additional non-API events like ConsoleLogins, which is practically all of the actions across your AWS infrastructure.

You can then use those logs to audit your AWS account and and it provides a very useful source for monitoring simple and large or complex AWS environments for suspicious or potentially dangerous actions.

If something weird is going on in your account, especially if it’s security related (but also operational issues), CloudTrail’s data should probably be one of the first — if not the first — places that you investigate, and we’ll talk more about how to do that later in the course.

It’s a service that helps you answer important questions, like:

  • “Who took this action and when?”
  • “What resources did they access or modify?”
  • “What events happened during a certain timeframe?”
  • Etc…

For example, if I make a change to an EC2 instance, even if that change was made through the console, it’s still making calls to the AWS API, which means CloudTrail would see it and log it.

You can find out information like the:

  • Identity of the API caller
  • Time of the API call
  • Source IP address of the API caller
  • Request parameters
  • Response elements returned by the AWS service

However, it’s important to understand that all of the functionality we just mentioned is not enabled by default!

Whenever you create a new AWS account, a limited version of CloudTrail is automatically enabled on your behalf. That limited version only logs Management Events, and not Data Events or Insights Events.

We’ll learn more about what this means in other lessons, because this is very important to understand.

By default, CloudTrail also doesn’t get enabled with any trails. Instead, the Management Events get stored for up to 90 days in what’s called the Event History.

There are ways of storing data for longer than that, which we will also be exploring, but as one of the first steps, you will want to generate CloudTrail trails and I’ll show you how to do that.

Example events to keep track of

Let’s take a look at some actual examples of what CloudTrail can log, and why it’s important.

Sign-in events

One of the most important events that you need to keep track of is console sign-in events. CloudTrail can log any attempts to sign into the AWS management console, both successful and failed.

This way you can identify brute-force attempts, or suspicious logins that took place after hours, and confirm that all logins are using multifactor authentication. Remember that your console is your most critical asset. Anyone with access to your console can potentially cause a lot of damage.

You can also set up monitoring and alerting for any time someone logs in using your root account. Because root accounts should almost never be used, if someone is using one, you should get notified, and you can use CloudTrail’s logs to do that.

Security Groups changes

CloudTrail also has the ability to log changes to security groups, as another example. A change in a security group can introduce, even by accident, a security hole in your AWS environment. You should monitor such changes closely and ensure that they occur as part of a change management process.

VPC resources

Apart from security groups, it is important to keep track of several changes that may occur in your VPCs and can potentially have a security impact. Unauthorized changes to NACLs and route tables may be indicators of compromise (IoCs). Even if made on purpose, such changes may have a negative impact on the security posture of your AWS environment, and you should definitely keep an eye on them.

Conclusion

These are just a handful of practical examples, but as we will see in this course, there are many more applications.

Now that we’ve gotten an overview of what CloudTrail is, how it works, and when it’s useful, we’re ready to move on to the next lesson!

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.