AWS CloudTrail

Category: Monitoring

Know how a flight recorder works? Flight recorders are installed in every aircraft to record everything that happens to the systems during a flight. In case of a disaster, these recorders are retrieved and the records are analyzed to determine the root cause of the disaster. Well, not just in case of disasters, these recorders are also helpful while analyzing normal flights to understand what could go wrong and what can be done in a better way.

When you set up your cloud account and infrastructure, there are so many things that could go wrong – unprecedented things. AWS provides a managed service to record all the activities performed by users, applications, and services in the form of CloudTrail.

CloudTrail enables the recording of all the activities performed over the last 90 days. We can create trails that record activities and store them in a specified Amazon S3 bucket. CloudTrail logs can be used for governance, compliance, and audit of the given AWS account. The logs thus created can be retrieved, analyzed, gain insights and wherever required take appropriate actions.

By default, CloudTrail events are enabled on all AWS regions. Events originating from multiple regions can be stored in the same S3 bucket. Trails can also be created for a specific region. CloudTrail events give you a kind of visibility into your account which is crucial to monitor account activities.

CloudTrail events are classified into 3 types – Management events, Data events, and Insights events. By default, CloudTrail records management events. Account activities performed on the control plane are classified as management events. Configuring security, modifying IAM policies and permissions, changing network settings on VPCs qualify as management events.

Any action which modifies the resource data is called data events. For example, creating or modifying objects on S3, Lambda function executions, etc. are data events. Data events are not enabled by default and enabling them to apply additional choices.

Insights events capture unusual activities on the account. By unusual, they mean anything that is not in line with the trend. A sudden surge in disk space utilization or drop in network bandwidth consumption can be called an unusual event. CloudTrail highlights these events with a starting and ending timestamp, which turns out to be very helpful information for any root cause analysis.

If an AWS account uses AWS Organizations service, where they manage multiple AWS accounts, the CloudTrail logs can be enabled for all the accounts and be recorded in the Amazon S3 bucket. However, the member accounts get only read-only access to the bucket objects. Only the Organisation account can take actions like deleting the logs, creating new Trails, modifying existing trails, etc.

5 trails can be created per region. If a multi-region trail is created, it is counted as one for every region. While creating a Trail, AWS provides us with an option to enable encryption of logs. This is a security measure that can make use of AWS KMS managed keys of customer-managed keys. Additionally, you can also enable the log file validation feature which can ensure the integrity of the file.

Events generated in Trails can also be sent to CloudWatch Logs for monitoring purposes. CloudWatch enables metrics on these events and can easily integrate with AWS SNS to trigger a notification on threshold breach of any kind.

CloudTrail events can be managed via AWS Web console. However, it also offers a RESTful web API and SDKs also support the CloudTrail operations to be performed. The access to CloudTrail trails for the users can be managed via IAM.

Given the nature of CloudTrail, it is used by most of the AWS Services for bookkeeping purposes. Thus there are a lot of integration options where CloudTrail service can be integrated to keep track of events occurring in other services. However, there are still few services with which CloudTrail cannot be integrated.

CloudTrail is not the same as CloudWatch which offers logging capabilities. While CloudWatch is responsible for performance monitoring and metrics, CloudTrail focuses on API activity. Both can be used together to deliver AWS monitoring solutions.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s