AWS Cloudtrail JSP.pptx
- 2. AWS CloudTrail • AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs. • CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history. For an ongoing record of activity and events in your AWS account, create a trail. For more information about CloudTrail pricing, see AWS CloudTrail Pricing.
- 3. • Visibility into your AWS account activity is a key aspect of security and operational best practices. You can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. You can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity in your AWS account. Optionally, you can enable AWS CloudTrail Insights on a trail to help you identify and respond to unusual activity. • You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of trails you create, and control how users view CloudTrail events.
- 4. What are trails? • A trail is a configuration that enables delivery of CloudTrail events to an Amazon S3 bucket, CloudWatch Logs, and CloudWatch Events. You can use a trail to filter the CloudTrail events you want delivered, encrypt your CloudTrail event log files with an AWS KMS key, and set up Amazon SNS notifications for log file delivery.
- 5. How CloudTrail works • CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view events in the CloudTrail console by going to Event history. • Event history allows you to view, search, and download the past 90 days of activity in your AWS account. In addition, you can create a CloudTrail trail to archive, analyze, and respond to changes in your AWS resources. A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you specify. You can also deliver and analyze events in a trail with Amazon CloudWatch Logs and Amazon CloudWatch Events. You can create a trail with the CloudTrail console, the AWS CLI, or the CloudTrail API.
- 6. You can create two types of trails for an AWS account: • A trail that applies to all regions • When you create a trail that applies to all regions, CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket that you specify. If a region is added after you create a trail that applies to all regions, that new region is automatically included, and events in that region are logged. Because creating a trail in all regions is a recommended best practice, so you capture activity in all regions in your account, an all-regions trail is the default option when you create a trail in the CloudTrail console. You can only update a single- region trail to log all regions by using the AWS CLI.
- 7. • A trail that applies to one region • When you create a trail that applies to one region, CloudTrail records the events in that region only. It then delivers the CloudTrail event log files to an Amazon S3 bucket that you specify. You can only create a single-region trail by using the AWS CLI. If you create additional single trails, you can have those trails deliver CloudTrail event log files to the same Amazon S3 bucket or to separate buckets. This is the default option when you create a trail using the AWS CLI or the CloudTrail API.
- 8. CloudTrail workflow • View event history for your AWS account • You can view and search the last 90 days of events recorded by CloudTrail in the CloudTrail console or by using the AWS CLI. • Download events • You can download a CSV or JSON file containing up to the past 90 days of CloudTrail events for your AWS account. • Create a trail • A trail enables CloudTrail to deliver log files to your Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all regions. The trail logs events from all regions in the AWS partition and delivers the log files to the S3 bucket that you specify. • Create and subscribe to an Amazon SNS topic • Subscribe to a topic to receive notifications about log file delivery to your bucket. Amazon SNS can notify you in multiple ways, including programmatically with Amazon Simple Queue Service. • View your log files • Use Amazon S3 to retrieve log files.
- 9. CloudTrail workflow • Manage user permissions • Use AWS Identity and Access Management (IAM) to manage which users have permissions to create, configure, or delete trails; start and stop logging; and access buckets that have log files. • Monitor events with CloudWatch Logs • You can configure your trail to send events to CloudWatch Logs. You can then use CloudWatch Logs to monitor your account for specific API calls and events. • Log management and data events • Configure your trails to log read-only, write-only, or all management and data events. By default, trails log management events. • Log CloudTrail Insights events • Configure your trails to log Insights events to help you identify and respond to unusual activity associated with write management API calls. If your trail is configured to log read-only or no management events, you cannot turn on CloudTrail Insights event logging. • Enable log encryption • Log file encryption provides an extra layer of security for your log files. • Enable log file integrity • Log file integrity validation helps you verify that log files have remained unchanged since CloudTrail delivered them.
- 10. CloudTrail workflow • Enable CloudTrail Lake • CloudTrail Lake lets you run fine-grained SQL-based queries on events. Events are aggregated into event data stores, which are immutable collections of events based on criteria that you select by applying advanced event selectors. You can keep the event data in an event data store for up to seven years. CloudTrail Lake is part of an auditing solution that helps you perform security investigations and troubleshooting. • Share log files with other AWS accounts • You can share log files between accounts. • Aggregate logs from multiple accounts • You can aggregate log files from multiple accounts to a single bucket. • Work with partner solutions • Analyze your CloudTrail output with a partner solution that integrates with CloudTrail. Partner solutions offer a broad set of capabilities, such as change tracking, troubleshooting, and security analysis.
- 12. Quotas in AWS CloudTrail Resource Default Limit Comments Trails per region 5 This limit cannot be increased. Get, describe, and list APIs 10 transactions per second (TPS) The maximum number of operation requests you can make per second without being throttled. The LookupEvents API is not included in this category.This limit cannot be increased. LookupEvents API 2 transactions per second (TPS) The maximum number of operation requests you can make per second without being throttled.This limit cannot be increased. All other APIs 1 transaction per second (TPS) The maximum number of operation requests you can make per second without being throttled.This limit cannot be increased. Event selectors 5 per trail This limit cannot be increased. Advanced event selectors 500 conditions across all advanced event selectors If a trail uses advanced event selectors, a maximum of 500 total values for all conditions in all advanced event selectors is allowed. Unless a trail logs data events on all resources, such as all S3 buckets or all Lambda functions, a trail is limited to 250 data resources. Data resources can be distributed across event selectors, but the overall total cannot exceed 250. This limit cannot be increased.
- 13. Data resources in event selectors 250 across all event selectors in a trail If you choose to limit data events by using event selectors or advanced event selectors, the total number of data resources cannot exceed 250 across all event selectors in a trail. The limit of number of resources on an individual event selector is configurable up to 250. This upper limit is allowed only if the total number of data resources does not exceed 250 across all event selectors.Examples: • A trail with 5 event selectors, each configured with 50 data resources, is allowed. (5*50=250) • A trail with 5 event selectors, 3 of which are configured with 50 data resources, 1 of which is configured with 99 data resources, and 1 of which is configured with 1 data resource, is also allowed. ((3*50)+1+99=250) • A trail configured with 5 event selectors, all of which are configured with 100 data resources, is not allowed. (5*100=500) This limit cannot be increased. The limit does not apply if you choose to log data events on all resources, such as all S3 buckets or all Lambda functions. Event size All event versions: events over 256 KB cannot be sent to CloudWatch Logs Event version 1.05 and newer: total event size limit of 256 KB Amazon CloudWatch Logs and Amazon CloudWatch Events each allow a maximum event size of 256 KB. CloudTrail does not send events over 256 KB to CloudWatch Logs or CloudWatch Events. Starting with event version 1.05, events have a maximum size of 256 KB. This is to help prevent exploitation by malicious actors, and allow events to be consumed by other AWS services, such as CloudWatch Logs and CloudWatch Events. CloudTrail file size sent to Amazon S3 50 MB ZIP file, after compression For both management and data events, CloudTrail sends events to S3 in maximum 50 MB (compressed) ZIP files. If enabled on the trail, log delivery notifications are sent by Amazon SNS after CloudTrail sends ZIP files to S3.