{"id":3004,"date":"2019-08-31T11:07:16","date_gmt":"2019-08-31T11:07:16","guid":{"rendered":"https:\/\/www.testpreptraining.com\/tutorial\/?page_id=3004"},"modified":"2020-05-01T11:06:50","modified_gmt":"2020-05-01T11:06:50","slug":"cloudtrail","status":"publish","type":"page","link":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/","title":{"rendered":"CloudTrail"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li>It is a web service that records API activity in AWS account. <\/li><li>It is enabled on AWS account when created.<\/li><li>All activity occurring in AWS account, is recorded in a CloudTrail event.<\/li><li>User can search, download activity of past 90 days from the event history view<\/li><li>It logs information on <\/li><li>who made a request<ul><li>the services used<\/li><\/ul><ul><li>the actions performed<\/li><\/ul><ul><li>parameters for the actions<\/li><\/ul><ul><li>the response elements returned by the AWS service. <\/li><\/ul><\/li><li>Stores Logs in specific log group.<\/li><li>Logs provide specific information on what occurred in AWS account.<\/li><li>focuses more on AWS API calls made in AWS account.<\/li><li>helps in meeting compliance and regulatory standards.<\/li><li>Usually delivers an event within 15 minutes of the API call. <\/li><li>It helps you enable governance, compliance, and operational and risk auditing. <\/li><li>CloudTrail&nbsp; records all actions done by a user\/role\/ AWS service <\/li><li>Events are recorded by CloudTrail, for actions in <ul><li>AWS Management Console<\/li><\/ul><ul><li>AWS Command Line Interface<\/li><\/ul><ul><li>AWS SDKs and APIs.<\/li><\/ul><\/li><li>Trail is a configuration which delivers event details to specified S3 bucket<\/li><li>The trail &nbsp;is useful for storing, analysis and any changes for AWS resources.<\/li><li>create a trail with <ul><li>CloudTrail console<\/li><\/ul><ul><li>AWS CLI<\/li><\/ul><ul><li>CloudTrail API<\/li><\/ul><\/li><li>Types of trails<ul><li>A trail that applies to all regions &#8211; records events in each region. Default with console<\/li><\/ul><ul><li>A trail that applies to one region &#8211; records the events in that region only. Default option with AWS CLI or CloudTrail API.<\/li><\/ul><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"159\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-125.png\" alt=\"\" class=\"wp-image-3684\"\/><\/figure>\n\n\n\n<p><strong>CloudTrail Events<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"185\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-126.png\" alt=\"\" class=\"wp-image-3685\"\/><\/figure>\n\n\n\n<p><strong>Data Events<\/strong><\/p>\n\n\n\n<p>Data events gives details of all operations\ndone on a AWS resource hence, also called as data plane operations. They are\nhigh-volume activities.<\/p>\n\n\n\n<p>Example data events include:<\/p>\n\n\n\n<p>Amazon S3 object-level API activity\n(for example, GetObject, DeleteObject, and PutObject API operations)<\/p>\n\n\n\n<p>AWS Lambda function execution\nactivity (the Invoke API)<\/p>\n\n\n\n<p>During trail creation, by default data\nevents are disabled. For recording data events, add supported resources or\nresource types to collect activity to a trail. <\/p>\n\n\n\n<p><strong>Management\nEvents<\/strong><\/p>\n\n\n\n<p>Management events provide insight\ninto management operations that are performed on resources in AWS account.\nThese are also known as control plane operations. Example management events\ninclude:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Configuration of security (like, IAM\nAttachRolePolicy API operations)<\/li><li>Registering devices (like, Amazon EC2\nCreateDefaultVpc API operations)<\/li><li>Configuring rules for routing data (like, Amazon\nEC2 CreateSubnet API operations)<\/li><li>Setting up logging (like, AWS CloudTrail\nCreateTrail API operations)<\/li><\/ul>\n\n\n\n<p>Management events can also include\nnon-API events that occur in account. For example, when a user logs in to\naccount, CloudTrail logs the ConsoleLogin event.<\/p>\n\n\n\n<p><strong>Read-only and Write-only\nEvents<\/strong><\/p>\n\n\n\n<p>When you configure trail to log data\nand management events, you can specify whether you want read-only events,\nwrite-only events, both, or none.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Read-only &#8211; Read-only events include API\noperations that read resources, but don&#8217;t make changes. For example, read-only\nevents include the Amazon EC2 DescribeSecurityGroups and DescribeSubnets API\noperations. These operations return only information about Amazon EC2 resources\nand don&#8217;t change configurations.<\/li><li>Write-only &#8211; Write-only events include API\noperations that modify (or might modify) resources. For example, the Amazon EC2\nRunInstances and TerminateInstances API operations modify instances.<\/li><li>All &#8211; trail logs both.<\/li><\/ul>\n\n\n\n<p>None &#8211; trail logs neither read-only nor write-only management events. <\/p>\n\n\n\n<p><strong>CloudTrail Logs<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Monitor existing system, application and custom\nlogs in real time.<\/li><li>Send existing logs to CloudWatch; Create\npatterns to look for in logs; Alert based on finding of these patterns.<\/li><li>Free agents for Ubuntu, Amazon Linux, Windows.<\/li><li>Purpose<ul><li>Monitor\nlogs from EC2 instances in realtime. (track number of errors in application\nlogs and send notification if exceed thresold)<\/li><\/ul><ul><li>To\nmonitor logged events of CloudTrail (it logs, API Activity like manual EC2\ninstance termination)<\/li><\/ul><ul><li>Archive\nlog data (change log retention setting to automatically delete)<\/li><\/ul><\/li><li>Log events are a record which is given to AWS CloudWatch\nLogs for storage. Timestamping is also done and along with Message, it is\nstored.<\/li><li>Log Streams \u2013 Refers to the log events sequence sharing\nsame resource (like for Apache access logs, they are automatically deleted\nafter every 2 months).<\/li><li>Log Groups \u2013 Refer to log stream group sharing\nsame settings for <ul><li>Retention<\/li><\/ul><ul><li>monitoring\n<\/li><\/ul><ul><li>access\ncontrol <\/li><\/ul><\/li><li>CMetric Filters &#8211; define how a service would\nextract metric observations from events and turn them into data points for a\nCloudWatch metric.<\/li><li>Retention Settings \u2013 Settings for duration to\nkeep events. Automatic deletion of expired logs.<\/li><li>The duration offered for Log Group Retention ranges\nfrom 1 day to 10 years.<\/li><li>CloudWatch Log Filters: filter log data pushed\nto CloudWatch; won&#8217;t work on existing log data, only work after log filter\ncreated, only returns<\/li><li>first 50 results. Metric contains 1. Filter\nPattern 2. Metric Name 3. Metric NameSpace 4. Metric value<\/li><li>Modify rsyslog (\/etc\/rsyslog.d\/50-default.conf)\nand remove auth on line number 9, sudo service rsyslog restart<\/li><li>Real-Time Log processing: It needs subscription\nFilters and applicable for AWS Kinesis Streams, AWS Lambda and AWS Kinesis\nFirehouse<\/li><li>aws kinesis command is used for creation\/ describing\nstream. Command can also list the stream ARN. Them update the permissions.json file\nwith ARN\u2019s of the stream and role.<\/li><\/ul>\n\n\n\n<p><strong>Advanced tasks with CloudTrail log files<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Create multiple trails per region.<\/li><li>CloudWatch Logs are used to monitor CloudTrail\nlog files <\/li><li>Share log files between accounts.<\/li><li>Log processing applications can be developed in\nJava by using CloudTrail Processing Library.<\/li><li>Validate log files to verify that they have not\nchanged after delivery by CloudTrail.<\/li><\/ul>\n\n\n\n<p>To receive CloudTrail log files from\nmultiple regions<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Sign in to the AWS Management Console and open the CloudTrail console at https:\/\/console.aws.amazon.com\/cloudtrail\/.<\/li><li>Choose the option \u2013 \u201cTrails\u201d, and then select a trail name.<\/li><li>Next, click on pencil icon adjacent to \u201cApply trail to all regions\u201d, and then select \u201cYes\u201d.<\/li><li>Choose Save. The original trail will be replicated across all AWS regions. CloudTrail will deliver log files present in all regions to S3 bucket.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"323\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-127.png\" alt=\"\" class=\"wp-image-3686\"\/><\/figure>\n\n\n\n<p><strong>Validating\nCloudTrail Log File Integrity<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Use CloudTrail log file integrity validation. <\/li><li>The feature using SHA-256 for hashing and\nSHA-256 with RSA for digital signing. <\/li><li>Thus making CloudTrail log files without\ndetection, computationally infeasible to <ul><li>Modify<\/li><\/ul><ul><li>delete\n<\/li><\/ul><ul><li>forge\n<\/li><\/ul><\/li><li>Use CLI to validate files <\/li><li>With log file integrity validation, CloudTrail\ncreates hash for every log file<\/li><li>Every hour, CloudTrail also creates a file\n(called a digest file) that references log files for last hour and has hash of\neach. <\/li><li>Each digest file is signed using private key of\na public and private key pair. <\/li><li>After delivery, use public key to validate the\ndigest file. <\/li><li>Every AWS region &nbsp;has different key pairs in CloudTrail.<\/li><li>The digest files are delivered to S3 bucket\nassociated with trail as CloudTrail log files. <\/li><li>The digest files are put into a folder separate\nfrom the log files. <\/li><li>Every digest file has digital signature of\nprevious digest file if present. <\/li><li>The signature for current digest file is in the\nmetadata properties of digest file S3 object.<\/li><\/ul>\n\n\n\n<p><strong>Sharing CloudTrail\nLog Files Between AWS Accounts<\/strong><\/p>\n\n\n\n<p>The steps are <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>To share log file with an account, create IAM\nrole for it.<\/li><li>For each of these IAM roles, create an access\npolicy that grants read-only access to the account you want to share the log\nfiles with.<\/li><li>IAM user can take the required &nbsp;role to retrieve log files, programmatically.<\/li><\/ul>\n\n\n\n<p><strong>CloudTrail\nProcessing Library<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A Java library to process AWS CloudTrail logs<\/li><li>Details about CloudTrail SQS queue and code to\nprocess events, is to be provided<\/li><li>CloudTrail Processing Library will<ul><li>polls\nSQS queue<\/li><\/ul><ul><li>reads\nand parses queue messages<\/li><\/ul><ul><li>downloads\nCloudTrail log files<\/li><\/ul><ul><li>parses\nevents in the log files<\/li><\/ul><ul><li>passes\nevents to code as Java objects.<\/li><\/ul><\/li><li>It is scalable and fault-tolerant. <\/li><li>Handles parallel processing of log files <\/li><li>Manages network failures like network timeouts\nor inaccessible resources.<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>It is a web service that records API activity in AWS account. It is enabled on AWS account when created. All activity occurring in AWS account, is recorded in a CloudTrail event. User can search, download activity of past 90 days from the event history view It logs information on who made a request the&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":2474,"menu_order":9,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"categories":[2],"tags":[7,346],"class_list":["post-3004","page","type-page","status-publish","hentry","category-amazon-aws","tag-aws","tag-cloudtrail"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>CloudTrail - Testprep Training Tutorials<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CloudTrail - Testprep Training Tutorials\" \/>\n<meta property=\"og:description\" content=\"It is a web service that records API activity in AWS account. It is enabled on AWS account when created. All activity occurring in AWS account, is recorded in a CloudTrail event. User can search, download activity of past 90 days from the event history view It logs information on who made a request the...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/\" \/>\n<meta property=\"og:site_name\" content=\"Testprep Training Tutorials\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-01T11:06:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-125.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/\",\"name\":\"CloudTrail - Testprep Training Tutorials\",\"isPartOf\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\"},\"datePublished\":\"2019-08-31T11:07:16+00:00\",\"dateModified\":\"2020-05-01T11:06:50+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AWS Certified Security Specialty\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"CloudTrail\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"name\":\"Testprep Training Tutorials\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\",\"name\":\"Testprep Training\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"contentUrl\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"width\":583,\"height\":153,\"caption\":\"Testprep Training\"},\"image\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CloudTrail - Testprep Training Tutorials","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/","og_locale":"en_US","og_type":"article","og_title":"CloudTrail - Testprep Training Tutorials","og_description":"It is a web service that records API activity in AWS account. It is enabled on AWS account when created. All activity occurring in AWS account, is recorded in a CloudTrail event. User can search, download activity of past 90 days from the event history view It logs information on who made a request the...","og_url":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/","og_site_name":"Testprep Training Tutorials","article_modified_time":"2020-05-01T11:06:50+00:00","og_image":[{"url":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-125.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/","url":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/","name":"CloudTrail - Testprep Training Tutorials","isPartOf":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website"},"datePublished":"2019-08-31T11:07:16+00:00","dateModified":"2020-05-01T11:06:50+00:00","breadcrumb":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/cloudtrail\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.testpreptraining.ai\/tutorial\/"},{"@type":"ListItem","position":2,"name":"AWS Certified Security Specialty","item":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/"},{"@type":"ListItem","position":3,"name":"CloudTrail"}]},{"@type":"WebSite","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","name":"Testprep Training Tutorials","description":"","publisher":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization","name":"Testprep Training","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/","url":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","contentUrl":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","width":583,"height":153,"caption":"Testprep Training"},"image":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/3004","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/comments?post=3004"}],"version-history":[{"count":5,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/3004\/revisions"}],"predecessor-version":[{"id":5127,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/3004\/revisions\/5127"}],"up":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/2474"}],"wp:attachment":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/media?parent=3004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/categories?post=3004"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/tags?post=3004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}