AWS re:Invent 2015 | (SEC318) AWS CloudTrail Deep Dive

http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html

http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html

Following example shows a complete log file object name:

bucket_name>/prefix_name/AWSLogs/Account ID/CloudTrail/region/YYYY/MM/DD/file_name.json.gz

CloudTrail uses the following file name format for the log file objects it uploads to your S3 bucket: 

AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.FileNameFormat 

The following log file record shows that an IAM user named Alice called the Amazon EC2 StopInstancesaction by using the ec2-stop-instances command in the CLI.

{
    "Records": [{
        "eventVersion": "1.0",
        "userIdentity": {
            "type": "IAMUser",
            "principalId": "EX_PRINCIPAL_ID",
            "arn": "arn:aws:iam::123456789012:user/Alice",
            "accountId": "123456789012",
            "accessKeyId": "EXAMPLE_KEY_ID",
            "userName": "Alice"
        },
        "eventTime": "2014-03-06T21:01:59Z",
        "eventSource": "ec2.amazonaws.com",
        "eventName": "StopInstances",
        "awsRegion": "us-west-2",
        "sourceIPAddress": "205.251.233.176",
        "userAgent": "ec2-api-tools 1.6.12.2",
        "requestParameters": {
            "instancesSet": {
                "items": [{
                    "instanceId": "i-ebeaf9e2"
                }]
            },
            "force": false
        },
        "responseElements": {
            "instancesSet": {
                "items": [{
                    "instanceId": "i-ebeaf9e2",
                    "currentState": {
                        "code": 64,
                        "name": "stopping"
                    },
                    "previousState": {
                        "code": 16,
                        "name": "running"
                    }
                }]
            }
        }
    },
    ... additional entries ...
 ]
}   

The following example command demonstrates the creation of a trail for an account using the AWS CLI:

aws cloudtrail create-subscription --name=awscloudtrail-example --s3-new-bucket=awscloudtrail-new-bucket-example --s3-prefix=prefix-example --sns-new-topic=awscloudtrail-example-log-deliverytopic

Use the following command to retrieve trail settings:

aws cloudtrail describe-trails

If the command succeeds, you see output similar to the following:

{
"trailList": [
    {
        "S3KeyPrefix": "prefix-example",
        "IncludeGlobalServiceEvents": true,
        "Name": "awscloudtrail-example",
        "SnsTopicName": "awscloudtrail-example-log-deliverytopic",
        "S3BucketName": "awscloudtrail-new-bucket-example2"
    }
]
}

Use the following command to retrieve the status of a trail:

aws cloudtrail get-trail-status --name awscloudtrail-example

If the command succeeds, you see output similar to the following:

{
    "LatestNotificationTime": 1441139757.496, 
    "LatestNotificationAttemptSucceeded": "2015-09-01T20:35:57Z", 
    "LatestDeliveryAttemptTime": "2015-09-01T20:35:57Z", 
    "LatestDeliveryTime": 1441139757.497, 
    "LatestDeliveryAttemptSucceeded": "2015-09-01T20:35:57Z", 
    "IsLogging": true, 
    "TimeLoggingStarted": "2015-09-01T00:54:02Z", 
    "StartLoggingTime": 1441068842.76, 
    "LatestDigestDeliveryTime": 1441140723.629, 
    "LatestNotificationAttemptTime": "2015-09-01T20:35:57Z", 
    "TimeLoggingStopped": ""
}

To see the ten latest events, type the following command:

aws cloudtrail lookup-events

Events from the past seven days are available for lookup. To specify a time range, type the following command:

aws cloudtrail lookup-events --start-time <timestamp> --end-time <timestamp>

The following are examples of valid formats. Date, month, and year values can be separated by hyphens or forward slashes. Double quotes must be used if spaces are present.

1422317782
1422317782.0
01-27-2015
01-27-2015,01:16PM
"01-27-2015, 01:16 PM"
"01/27/2015, 13:16"
2015-01-27
"2015-01-27, 01:16 PM"

To filter by an attribute, type the following command:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=<attribute>,At
tributeValue=<string>

Possible values for AttributeKey are the following. These names are case sensitive.

• EventId
• EventName
• Username
• ResourceType
• ResourceName

The following example command returns the event for the specified CloudTrail EventId.

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventId,AttributeValue=b5cc8c40-12ba-4d08-a8d9-2bceb9a3e002

The following example command returns events in which the value of EventName is RunInstances.

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RunInstances

The following example command returns events in which the value of Username is root.

aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=root

The following example command returns events in which the value of ResourceType is AWS::S3::Bucket.

aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::S3::Bucket

The following example command returns events in which the value of ResourceName isCloudTrail_CloudWatchLogs_Role.

aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=CloudTrail_CloudWatchLogs_Role