AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Invent 2013


Published on

Customers using AWS resources such as EC2 instances, EC2 Security Groups and RDS instances would like to track changes made to such resources and who made those changes. In this session, customers will learn about gaining visibility into user activity in their account and aggregating logs across multiple accounts into a single bucket. Customers will also learn about how they can use the user activity logs to meet the logging guidelines/requirements of different compliance standards. AWS Advanced Technology Partners Splunk/Sumologic (exact partners TBD) will demonstrate applications for analyzing user activity within an AWS account.

Published in: Technology
  • Be the first to comment

AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Invent 2013

  1. 1. Turn on AWS CloudTrail: Gain visibility into API activity in your account Sivakanth Mundru November 14, 2013 © 2013, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of, Inc.
  2. 2. Agenda • AWS customer feedback • Introducing AWS CloudTrail • Demo: Turn on CloudTrail • Information in a recorded API call & Partner Demos • Advanced Features • Q&A
  3. 3. You asked us to • Record which users in your account made changes to your AWS resources such as EC2 instances, EC2 and VPC security groups, and more. • Create an archive of all user activity to meet your internal and external compliance standards. • Add the ability to view all user activity, i.e., API calls executed.
  4. 4. Introducing AWS CloudTrail You are making API calls... Image Source: AWS On a growing set of services around the world.. CloudTrail is continuously recording API calls… And delivering log files to you…
  5. 5. Use Cases Enabled by CloudTrail • Security Analysis  Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns. • Track Changes to AWS Resources  Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups, and Amazon EBS volumes. • Troubleshoot Operational Issues  Quickly identify the most recent changes made to resources in your environment. • Compliance Aid  Easier to demonstrate compliance with internal policies and regulatory standards.
  6. 6. What is AWS CloudTrail? • CloudTrail records API calls in your account and delivers a log file to your S3 bucket. • Typically, delivers an event within 15 minutes of the API call. • Log files are delivered approximately every 5 minutes. • Multiple partners offer integrated solutions to analyze log files. Image Source: Jeff Barr
  7. 7. AWS Services Supported by CloudTrail • Currently, records API calls made to these AWS services. Amazon EC2 Amazon Redshift AWS IAM Amazon EBS Amazon VPC AWS STS Amazon RDS AWS CloudTrail (Security Token Service) • Includes API calls made by higher-level AWS services such as AWS CloudFormation, AWS Elastic Beanstalk, and AWS OpsWorks
  8. 8. What is NOT recorded? • State transitions of AWS resources Example: An EC2 instance transitioning from pending to a running state. • Allowed or denied traffic information for VPC security groups and ACL’s. • Successful and failed AWS Management Console sign-in events.
  9. 9. AWS CloudTrail Regional Availability • Available in us-east (Northern Virginia) and us-west (Oregon) regions today. • You turn on CloudTrail on a per region basis. • Events for global services will be delivered in both regions. Image Source: Internet
  10. 10. Partner CloudTrail Solutions
  11. 11. Information in a recorded API call (JSON format) • Who made the API call? • When was the API call made? • What was the API call? • What were the resources that were acted up on in the API call? • Where was the API call made from?
  12. 12. Who made the API call? • Records detailed information for all AWS identity types     Root user IAM user Federated user Role • Information includes       Friendly user name AWS AccessKeyId 12 digit AWS account number Amazon Resource Name (ARN) Session context and issuer information, if applicable invokedBy section identifies the AWS service making request on behalf of the user
  13. 13. Who? Example 1: IAM user Bob making an API call "userIdentity": { "accessKeyId": "AKEXAMPLE123EJVA", "accountId": "123456789012", "arn": "arn:aws:iam::123456789012:user/Bob", "principalId": "AIEXAMPLE987ZKLALD3HS", "type": "IAMUser", "userName": "Bob" } Anonymized data
  14. 14. Who? Example 2: Federated user Alice making an API call "userIdentity":{ "type":"FederatedUser", "principalId":"123456789012:Alice", "arn":"arn:aws:sts::123456789012:federated-user/Alice", "accountId":"123456789012", "accessKeyId":"ASEXAMPLE1234WTROX8F", "sessionIssuer":{ "type":"IAMUser", "accountId":"123456789012", "userName": "Bob" } } Anonymized data; Partial Output
  15. 15. Who? Example 3: AWS service calling on behalf of a user • Elastic Beanstalk creating AWS resources on behalf of IAM user Bob "userIdentity": { "accountId": "123456789012", "arn": "arn:aws:iam::123456789012:user/Bob", "invokedBy":"", "principalId": "ASEXAMPLE123XWTROX8F ", "type": "IAMUser", "userName": "Bob" } Anonymized data
  16. 16. When was the API call made? • Time and date of the event in ISO 8601 format • Unambiguous and well-defined method of representing date and time • AWS services sync all system clocks with centralized Network Time Protocol (NTP) servers "eventTime": "2013-10-23T23:30:42Z"
  17. 17. What was the API call? What resources were acted up on? • API call and the service the API call belongs to "eventName": "RunInstances" "eventSource": "EC2" • Request parameters provided by the requester and Response elements returned by the AWS service • Response elements for read-only API calls (Describe*, Get*, List*) are not recorded to prevent event size inflation
  18. 18. Where was the API call made from? • Apparent IP address of the requester making the API call. • Records the apparent IP address of the requester when making API calls from AWS Management Console. • AWS region to which the API call was made. Global services (Examples: IAM/STS) will be recorded as us-east-1. "sourceIPAddress": "", "awsRegion": "us-east-1",
  19. 19. Errors and Authorization Failures • Detailed and Descriptive error codes and error messages, recorded only when errors occur. Examples  Client error code: TagLimitExceeded  Server error code: Internal Error  Authorization failure: UnauthorizedOperation • Authorization Failure Example "eventName": "TerminateInstances", "errorCode": "UnauthorizedOperation", "errorMessage": "You are not authorized to perform this operation"
  20. 20. Regulatory standards aided by AWS CloudTrail • Helps you meet the logging requirements specified in PCI Data Security Standard V1 (PCI DSS V1) FedRAMP: US government program for federal agencies International Organization for Standardization (ISO) 27001 standard Service Organization for Controls 2 (SOC2) • For more details, Please refer to "Security at Scale: Logging in AWS" whitepaper on AWS compliance website. Image Source: AWS Compliance Website
  21. 21. SNS Notifications for log file delivery • Optionally, CloudTrail will publish SNS notification of each new log file. • Notifications contain the address of the log file delivered to your S3 bucket and allow you to take immediate action. • Does not require you to continuously poll S3 to check whether new log files were delivered • Multiple subscribers can subscribe to the same SNS topic and retrieve the log files for analysis.
  22. 22. Descriptive S3 folder structure and detailed log file name • Default descriptive folder structure makes it easier to store log files from multiple accounts and regions in the same S3 bucket. • Detailed log file name helps identify the contents of the log file, regardless of where they are stored. • Unique identifier in the file name prevents overwriting log files.
  23. 23. Aggregate logs from multiple regions into one S3 bucket • Create a bucket in the first region where you turn on CloudTrail. • Specify the same bucket as the destination in the second region. • CloudTrail will deliver logs from multiple regions to the same bucket.
  24. 24. Aggregate log files from multiple accounts into one S3 bucket 1. Turn on CloudTrail for 111111111111 Services supported by CloudTrail 3. Turn on CloudTrail for 222222222222 Services supported by CloudTrail Account 222222222222 4. Turn on CloudTrail for 333333333333 Bucket “foo” in account 111111111111 Services supported by CloudTrail 2. Update “foo” bucket policy “arn:aws:s3:::foo/KBJInc/AWSLogs/222222222222/*”, “arn:aws:s3:::foo/KBJInc/AWSLogs/333333333333/*” Account 333333333333
  25. 25. How much does AWS CloudTrail cost? • There are no charges for turning on CloudTrail for your account. • Standard S3 and SNS charges will apply as per your usage.
  26. 26. Want to learn more about CloudTrail and Partners? • Come meet the CloudTrail team (Deployment and Management Booth) and partners Partner Booth Relevant Session 2nd Watch #715 Nov 13, 3:00pm, Titian 2306: DMG209 - Enterprise Management for the AWS AlertLogic #314 Nov 14, 4:15pm, Veronese 2504: SEC308 - Auto Scaling Web Application Security in AWS Boundary #1020 Cognizant #500 Datapipe #713 Foghorn #530 Loggly #821 Smartronix #809 Splunk #925 Stackdriver #315 Nov 14, 3:00pm, Veronese 2504: ARC210- DevOps Nirvana:Seven Steps to a Peaceful Life on AWS Sumologic #117 Nov 13, 3:00pm, San Polo 3501 A: BDT401 - Using AWS to Build a Scalable Big Machine Data Management and Processing Service Nov 14, 4:15 pm, Titian 2306: ENT222 - Enterprise Transformation through Cognizant’s XaaS fabric on AWS Nov 15, 1:30pm, Delfino 4003: ARC303 - Unmeltable Infrastructure at Scale: Using Apache Kafka, Twitter Storm, and Elastic Search on AWS
  27. 27. Thank you and Q&A
  28. 28. We are sincerely eager to hear your feedback on this presentation and on re:Invent. SEC207 Please fill out an evaluation form when you have a chance.