Skip to main content

AWS CloudTrail

1. Navigate to CloudTrail in the Management Console

  • Log in to the AWS Management Console of cloudexploration prod account us-east-1 region.
  • From the Services menu, select CloudTrail under the Security, Identity, & Compliance section.
  • This will take you to the CloudTrail Dashboard, where you can see an overview of the trails and event history in your account.

2. Basic Configuration and Setup

  • Trails Overview:
    • In the Trails section on the left-hand menu, review the list of CloudTrail trails. This section shows the trails configured in your account and their settings.
  • Trail Details:
    • Click on a specific trail to view its configuration details, such as:
      • Trail Status (enabled or disabled).
      • Log file validation status.
      • S3 bucket used for storing logs.
      • Log file encryption (if using AWS KMS).
      • CloudWatch Logs integration status.
  • Event History:
    • In the left-hand menu, select Event history to view recent API activity within your AWS account. You can filter events based on attributes such as time, resource, and event name.

3. Exploring the AWS Well-Architected Framework Pillars

Operational Excellence Pillar

  • Trail Monitoring:
    • In the Trails section, confirm if Multi-Region Trail is enabled. This ensures that all activity across your AWS environment is recorded, supporting comprehensive operational monitoring.
  • CloudWatch Integration:
    • Check if the trail is integrated with CloudWatch Logs. CloudWatch Logs allow you to set up real-time alerts for specific API activities, which is important for operational visibility.
  • Log File Validation:
    • Review the Log file validation status in the trail's details. When enabled, this feature ensures the integrity of the log files, providing assurance that the logs have not been tampered with.

Security Pillar

  • Event History:
    • In the Event history section, explore the logged events for suspicious activities, such as changes to security group rules or access to sensitive resources. This helps identify potential security breaches or misconfigurations.
  • S3 Bucket Encryption:
    • Under the trail details, check if the S3 bucket used for log storage is configured with encryption (either SSE-S3 or SSE-KMS). Encryption at rest is crucial for protecting the log data.
  • IAM Roles and Permissions:
    • While you can't directly modify IAM policies with read-only access, you can review the IAM roles associated with CloudTrail in the AWS IAM Console to ensure they follow the principle of least privilege.
  • CloudTrail Insights:
    • If CloudTrail Insights is enabled, explore the insights to detect unusual activities, such as spikes in resource provisioning or unexpected modifications to key configurations.

Reliability Pillar

  • Multi-Region Trail:
    • In the Trails section, ensure that a Multi-Region Trail is configured. This allows you to capture management events from all regions, enhancing reliability by providing a comprehensive record of activity.
  • Log File Delivery:
    • Check the S3 bucket used for log file delivery to ensure that the bucket is configured with versioning and lifecycle policies. These configurations support the retention and archiving of log data, contributing to reliability.
  • Log Integrity:
    • Confirm that Log file validation is enabled. This ensures the reliability of audit data, as the log files cannot be modified or tampered with without detection.

Cost Optimization Pillar

  • Log Storage:
    • In the trail details, note the S3 bucket where logs are stored. Review the bucket's storage settings (in the S3 Console) to ensure lifecycle policies are in place for moving logs to more cost-effective storage classes (e.g., S3 Glacier) after a certain period.
  • CloudTrail Insights:
    • Check if CloudTrail Insights is enabled. While useful, it can add additional costs. Ensure it’s only enabled for trails where unusual activity monitoring is required to avoid unnecessary expenses.
  • Data Events:
    • Review the Data events settings in the trail details. Tracking data events (e.g., S3 object-level actions) can increase costs. Ensure that data events are enabled only for critical resources to keep costs under control.

Performance Efficiency Pillar

  • Event Filtering:
    • In the Event history section, use filters to search for specific events based on attributes like Event name, Resource, or Event source. Efficient filtering supports quick identification of relevant events, aiding in performance monitoring and troubleshooting.
  • Log Analysis:
    • If CloudWatch Logs integration is enabled, use CloudWatch Logs Insights to analyze log data efficiently. This provides actionable insights to optimize the performance of your AWS environment.
  • Log Delivery Speed:
    • Monitor the Log delivery time (visible in the Event history timestamps) to ensure that log events are being captured and delivered promptly. Timely logging supports responsive performance monitoring.

4. Additional Explorations

  • AWS Config and Security Hub:
    • If AWS Config and Security Hub are enabled in your environment, navigate to these services to review compliance rules and security findings related to CloudTrail. This helps ensure that your CloudTrail setup aligns with security and compliance best practices.
  • S3 Storage Review:
    • Visit the S3 Console and locate the bucket used for CloudTrail logs. Check for lifecycle policies that transition older log files to cost-effective storage options like S3 Glacier or delete logs after a set retention period.