Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS July Webinar Series - Troubleshooting Operational and Security Issues in Your AWS Account using CloudTrail

4,540 views

Published on

AWS CloudTrail is an essential tool for troubleshooting operational issues and investigating security incidents. CloudTrail provides detailed information about the API activity in your AWS account, including who made an API call, from where, and which resources they acted on.

This webinar will help you understand the features of CloudTrail and how to use them to gain maximum visibility into your AWS resources.

Learning Objectives:

Learn how to receive email notifications for specific API activity
Learn how to troubleshoot operational and security incidents in your AWS account
Learn how to turn on CloudTrail and receive a history of log files to an S3 bucket you specify

Published in: Technology

AWS July Webinar Series - Troubleshooting Operational and Security Issues in Your AWS Account using CloudTrail

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sivakanth Mundru, AWS CloudTrail 07-29-2015 Deep Dive: Troubleshooting Operational and Security issues in your AWS Account using CloudTrail
  2. 2. Agenda CloudTrail Overview Getting Started CloudTrail Lookup Receive email notifications of specific API activity Partner solutions integrated with CloudTrail Q & A
  3. 3. CloudTrail Overview
  4. 4. CloudTrail - Overview Customers are making API calls... On a growing set of services around the world… CloudTrail is continuously recording API calls… And delivering log files to customers
  5. 5. Use cases enabled by CloudTrail • Security Analysis  Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns • Track Changes to AWS Resources  Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes. • Troubleshoot Operational Issues  Quickly identify the most recent changes made to resources in your environment • Compliance Aid  Easier to demonstrate compliance with internal policies and regulatory standards Security at Scale: Logging in AWS White Paper
  6. 6. What’s in a CloudTrail event? Who made the API call? When was the API call made? What was the API call? What were the resources that were acted up on in the API call? Where was the API call made from? CloudTrail event reference
  7. 7. CloudTrail Availability and more • Available in all AWS regions. This includes US GovCloud and Beijing, China regions • Supports 42 AWS services • Records API activity made using SDKs, CLI or the AWS console • Typically, delivers log files containing events to your S3 bucket in less than 10 minutes • Aggregate log files from multiple accounts into a single S3 bucket. More on aggregating Log files across accounts and regions
  8. 8. Setting up S3 bucket policy for aggregation • Partial S3 bucket policy "Action": "s3:PutObject", "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/myAccountID/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } • If you have 3 accounts, add three lines that correspond to those three accounts to the bucket policy "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/111111111111/*", "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/222222222222/*", "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/333333333333/*"
  9. 9. Getting Started
  10. 10. Turn on CloudTrail using AWS CloudTrail Console AWS CloudTrail Console Home
  11. 11. Turn on CloudTrail in all regions using AWS CLI # Create trails and start logging in all AWS standard regions with the AWS CLI and Linux. CLOUDTRAIL_S3_BUCKET=“yourbucket" PROFILE="timbuktu" REGION_FOR_GLOBAL_EVENTS="us-east-1" regionlist=($(aws ec2 describe-regions --query Regions[*].RegionName --output text)) for region in ${regionlist[@]} do if [ $region = $REGION_FOR_GLOBAL_EVENTS ] then aws --profile $PROFILE --region $region cloudtrail create-trail --name $region --s3-bucket-name $CLOUDTRAIL_S3_BUCKET --include-global-service- events --output table aws --profile $PROFILE --region $region cloudtrail start-logging --name $region --output table else aws --profile $PROFILE --region $region cloudtrail create-trail --name $region --s3-bucket-name $CLOUDTRAIL_S3_BUCKET --no-include-global-servi ce-events --output table aws --profile $PROFILE --region $region cloudtrail start-logging --name $region --output table fi done
  12. 12. CloudTrail CLI Demo
  13. 13. CloudTrail Lookup Events Feature • Troubleshoot Operational and Security issues related to your AWS account • Look up CloudTrail events related to creation, deletion and modification of AWS resources • Look up events for the last 7 days • Filter events using one of the six different filters • Time range • User name • Resource name • Resource type • Event name • Event ID
  14. 14. CloudTrail Lookup Events Feature
  15. 15. Demo: Look up CloudTrail events in the console AWS CloudTrail Console Home
  16. 16. Look up events using the AWS CLI • List all events for the last 7 days aws cloudtrail lookup-events --output json • List all events where user name is root aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username, AttributeValue=root -- output=json • List all events where the Resource type is EC2 Instance aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::EC2::Inst ance --output=json
  17. 17. Receive email notifications of specific API activity
  18. 18. Receive email notifications of specific API activity Why? • Monitor for any patterns in the CloudTrail events • You want to take immediate action when specific events occur What do you need to do? • Configure CloudTrail events to be delivered to CloudWatch Logs • Configure CloudWatch Alarms for specific events or API activity
  19. 19. Which events should I monitor for? • Monitor security and network related events Examples: 1. Creation, deletion and modification of security groups and VPC’s 2. Changes to IAM policies 3. Failed console Sign-in events 4. API calls that resulted in authorization failures • Monitor events related to specific resources or resource types Examples 1. Launching, terminating, stopping, starting and rebooting EC2 Instances 2. Creating 4X or 8X large EC2 Instances
  20. 20. Configuring CloudWatch Alarms for CloudTrail events • To get started, use the CloudFormation template that has 10 different pre-defined alarms, includes the examples in the previous slide • CloudFormation template is available via CloudTrail documentation page • Create 10 CloudWatch alarms to monitor API activity related to network and security events in less than 5 minutes • Receive email notifications when those events occur in your AWS account
  21. 21. Demo: CloudTrail Integration with CloudWatch
  22. 22. How does the email notification look like?
  23. 23. Partner Solutions Integrated with CloudTrail
  24. 24. AWS Technology Partner solutions integrated with CloudTrail
  25. 25. AWS Consulting Partner solutions integrated with CloudTrail
  26. 26. Thank you! Questions and Answers

×