Kit Wai Chan - Fotolia

Tip

Tracking user activity with AWS CloudTrail

AWS CloudTrail is a Web service that keeps track of AWS API calls in your account and stores logs from multiple accounts and multiple regions in the same S3 bucket. Learn to turn on AWS CloudTrail and to find and read log files.

CloudTrail is a Web service that keeps track of AWS API calls in your account and records them in a log for delivery to your S3 bucket. It also stores logs from multiple accounts and multiple regions in the same S3 bucket.

CloudTrail ensures logging requirements satisfy internal policies and regulatory standards, such as PCI DSS v2.0 and FedRAMP. They include:

  • controls to prevent unauthorized access or modifications to logs
  • controls to ensure access to log records is role-based
  • alerts when logs are created or failed
  • alerts on log misconfigurations

Turning on CloudTrail

There are no charges for turning on CloudTrail for your account. Standard S3 bucket charges apply per usage.

Here's how to turn on CloudTrail in a region for the first time:

  • Open the CloudTrail console.
  • Click Get Started.
  • On the Turn on CloudTrail page, select Yes or No for Create a new S3 bucket?

Note: If you select Yes, CloudTrail creates the bucket in one region for storing your log files and applies the appropriate policy. If you select No, you can specify an existing S3 bucket from a current account or another account with appropriate permissions applied. If you specify a wrong bucket, click the Edit tab at the top to change the bucket's name on the Update CloudTrail page. 

  • Click Advanced.
  • For Log file prefix, add a prefix for your S3 bucket to make log files easier to browse.

Tip: Hover your cursor over view log file location to see where your log files will be stored.

  • Select Yes for Include global services to record API calls from global services such as IAM or AWS Security Token Service.
  • Select Yes or No for Simple Notification Service (SNS) notification for every log file delivery.

Note: You should select No when you use CloudTrail for the first time. Otherwise, you will need to configure SNS.

  • Click Subscribe.

When CloudTrail is turned on in additional regions, you can use the same log file prefix that you used when you turned it on in the first region for your account.

If you are the root user in your account, avoid using root account credentials to perform daily tasks at CloudTrail. A hacker could use your credentials to illegally access the buckets containing the log information.

Instead, create an IAM group with appropriate permissions for IAM users to work with CloudTrail and S3 buckets. As an IAM user of this group you can assign yourself all the administrative tasks including creating trails, reading logs, starting and stopping logging, etc.

Finding your log files

CloudTrail publishes the log file to your bucket in a gzip archive (GNU zip). You should use 7-Zip or any other utility to unzip it.

A complete URL CloudTrail log file name is shown below.

https://s3-us-west-2.amazonaws.com/<bucket_name>/<prefix_name>/AWSLogs/<AccountID>/ CloudTrail/us-west-2/2013/10/25/<AccountID>_CloudTrail_us-west-2_2013-10-25T22: 25Z_ bPlKAoJtDqSWWlTT.json.gz

Below is a list describing each element in the log file.

  • The root URL for the S3 console (s3-us-west-2.amazonaws.com).
  • The bucket name that you specified in your trail (<bucket_name>).
  • The log prefix you specified in your trail (<prefix_name>).
  • The type of file (AWSLogs).
  • The account identification number you used in your trail (<AccountID>).
  • The name of the Amazon Web Service (CloudTrail).
  • The name of the AWS region (us-west-2).
  • The current date in yyyy/mm/dd format (2013/10/25).
  • An alphanumeric string that disambiguates the file from others that cover the same time period. A timestamp (T22:25Z) captures the time of the earliest event in the log file (<AccountID>_CloudTrail_us-west-2_2013-10-25T22:25Z_bPlKAoJtDqSWWlTT.json.gz).

Reading a log file

The following example shows the events in a single log record at the beginning of a log file. The file indicates that IAM user Alice (“userName”) is authorized to call the CloudTrail StartLogging API (“eventName”). Alice has been assigned an access key (“accessKeyId”) to a specific account (“accountId”) and uses the CloudTrail console to start the logging process. 

The call was made on 2013-03-18 at 14 hours, 30 minutes and 7 seconds -- from the user's IP address 72.21.198.64. The userAgent element (“userAgent”) indicates the request was made through the AWS Management Console.

List 1 log file example:

{

        "Records": [{

                "eventVersion": "1.01",

                "userIdentity": {

                        "type": "IAMUser",

                        "principalId": "EX_PRINCIPAL_ID ",

                        "arn": "arn:aws:iam::123456789012:user/Alice",

                        "accountId": "123456789012",

                        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",

                        "userName": "Alice",

                        "sessionContext": {

                                "attributes": {

                                                                                                                                                                                                "creationDate": "2014-03-18T14:29:23Z"

                                }

                        }

                },

                "eventTime": "2014-03-18T14:30:07Z",

                "eventSource": "cloudtrail.amazonaws.com",

                "eventName": "StartLogging",

                "awsRegion": "us-west-2",

                "sourceIPAddress": "72.21.198.64",

                "userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx",

                "requestParameters": {

                        "name": "Default"

                },

                               

                "responseElements": null,

                "requestID": "cdc73f9d-aea9-11e3-9d5a-835b769c0d9c",

                "eventID": "3074414d-c626-42aa-984b-68ff152d6ab7"

        },

    ... additional entries ...

        ]

Word of caution: Include error code and message to alert you if there is an authorization problem when any user attempts to start logging. For example:

                "errorCode": Unauthorized Operation,

                "errorMessage": "You are not authorized to start logging."

If user Alice receives this message, the administrator of the IAM group should use IAM to ensure this user is granted permission to start and stop logging on as well as reading logs.

In conclusion, go to CloudTrail to check on authorization problems and changes in user behavior patterns.

About the author:
Judith M. Myerson is the former ADP security officer/manager at a naval facility where she led enterprise projects for its materiel management system. Currently a consultant and subject matter expert, she is the author of several books and articles on cloud use, compliance regulations, mobile security, software engineering, systems engineering and risk management. She received her master of science degree in engineering from the University of Pennsylvania and is certified in risk and information system control (CRISC).

Next Steps

Compare Amazon CloudWatch vs. AWS CloudTrail

Dig Deeper on AWS infrastructure