How to enable AWS CloudTrail for auditing and compliance
A crucial component of managing our AWS Cloud is tracking and logging all activity performed on our AWS accounts. AWS CloudTrail is one such solution from AWS for this very purpose.
Prerequisites
You must have a working AWS account with AWS CloudTrail and AWS S3 permissions to progress with this Answer. You also must have generated AWS access keys for your AWS account.
What is AWS CloudTrail?
AWS CloudTrail is a service provided by AWS that enables us to track and record all activity within your AWS account. Precisely, CloudTrail captures and logs API calls made within our account, including who made the call, when it was made, and what resources were affected.
By enabling CloudTrail logging, we can gain greater visibility into your AWS account activity, which can be helpful for security, compliance, and troubleshooting. The stored data is also immutable, meaning it cannot be altered or changed, which is especially important for auditing purposes.
Enabling AWS CloudTrail
The AWS CloudTrail service itself is expensive and offers several different solutions for logging for auditing and compliance. The most common of these solutions are CloudTrail Event history and CloudTrail trail.
Using CloudTrail Event history
By default, CloudTrail is already enabled for our AWS accounts in the form of CloudTrail Event history. CloudTrail Event history is a free service within CloudTrail that allows us to view, search, and download our AWS account’s immutable historical activity data in the most recent 90 days.
With CloudTrail Event history, we cannot specify what events to record but also for how long. CloudTrail Event history will always record all events and only store logs for the most recent 90 days.
To access the CloudTrail Event history dashboard, follow the steps below:
Navigate to the “CloudTrail” service in the AWS Management Console.
Click and open the sidebar in the left navigation pane, then click the “Event history” button.
Any recorded events will appear under the “Event history” list. Additionally, we can also refine event results by using the filters provided on this dashboard.
Create a CloudTrail trail using the AWS Management Console
CloudTrail trails allow us to configure and specify which events we need to record and where to store them. For example, we discussed how CloudTrail Event history only logs management events and only 90 days. For CloudTrail to log data events and store them in more long-term storage, like an S3 bucket, we can configure a CloudTrail trial to do so.
We can also customize if we want to set up a trail within specific regions, all regions, or even all accounts within an organization account. We can filter events logged within a trail for specific actions. The recorded events are usually stored in an Amazon S3 bucket as JSON objects.
Note: To learn more about the AWS S3 service, follow the “What is Amazon S3, and how is it used?” Answer.
To enable CloudTrail logging, follow the steps below to create a CloudTrail trail to record all events and save them in log files in an S3 bucket for long-term storage:
Navigate to the “CloudTrail” service in the AWS Management Console.
Click “Dashboard” in the left navigation pane and then click the “Create trail” button.
Write
console-cloudtrail-trailin the “Trail name” field.Select the “Create new S3 bucket” option and write
console-s3-bucket-<randomtext>in the “Trail log bucket and folder” field.
Note: Make sure to replace <randomtext> with a unique string, as we can only create an S3 bucket with a unique name across AWS.
Uncheck the “Enabled” option under the “Log file SSE-KMS encryption” label, as we don’t need to encrypt our log files.
Click “Next” to go to the next section.
Don’t change anything in the “Choose log events” and click “Next” to go to the “Review and create” section.
Click the “Create trail” button.
Create a CloudTrail trail using the AWS CLI
Follow these steps to create a CloudTrail trail using the AWS CLI:
Configure the AWS CLI: We’ll use the following
aws configurecommand to configure the AWS CLI in our environment with the AWS access keys and appropriate AWS region.
aws configure set aws_access_key_id $aws_access_key_id && aws configure set aws_secret_access_key $aws_secret_access_key && aws configure set default.region $aws_region
Create a S3 bucket: We’ll use the following
aws s3api create-bucketcommand to create an AWS S3 bucket. The S3 bucket name is provided to the--bucketparameter.
aws s3api create-bucket --bucket cli-s3-bucket-randomtext
Note: Make sure to replace randomtext with a unique string, as we can only create an S3 bucket with a unique name across AWS.
Put S3 policy: The code widget below shows a
put-bucket-policycommand that creates and attaches a policy with an S3 bucket. We’ll use this command to allow the CloudTrail service to access our bucket only for the actions specified in theActionslist at lines 7–12. The appropriate inline S3 bucket policy is provided to the--policyparameter. Replace therandomtextplaceholder at lines 1, 14, and 15 before copying the following code, then execute it in the terminal.
aws s3api put-bucket-policy --bucket cli-s3-bucket-randomtext --policy '{
"Version": "2012-10-17",
"Statement": [
{
"Principal": { "Service": "cloudtrail.amazonaws.com" },
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketAcl",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::cli-s3-bucket-randomtext",
"arn:aws:s3:::cli-s3-bucket-randomtext/*"
]
}
]
}'Create a CloudTrail trail: We’ll use the following
aws cloudtrail create-trailcommand to create a CloudTrail trail. The trail name is provided to the--nameparameter, and the S3 bucket name is provided to the--s3-bucket-nameparameter.
aws cloudtrail create-trail --name cli-cloudtrail-trail --s3-bucket-name cli-s3-bucket-randomtext
Note: Make sure to replace randomtext with the unique string you used to create an S3 bucket previously.
Fetch and verify CloudTrail trail creation: We’ll use the following
aws cloudtrail get-trailcommand to fetch the CloudTrail trail we create. The trail name is provided to the--nameparameter.
aws cloudtrail get-trail --name cli-cloudtrail-trail
Copy-paste and execute each of the above-given commands to create and view a CloudTrail trail in the terminal below. Simply click the terminal to connect to it. Make sure to add your AWS account’s access keys to the aws_access_key_id and aws_secret_access_key prompts.
Upon the successful execution of the commands above, we’ll get a response similar to the following after we execute the command to get the trail we created on the AWS Management Console:
{"Trail": {"Name": "cli-cloudtrail-trail","S3BucketName": "cli-s3-bucket-randomtext","IncludeGlobalServiceEvents": true,"IsMultiRegionTrail": false,"HomeRegion": "us-east-1","TrailARN": "arn:aws:cloudtrail:us-east-1:363246301566:trail/cli-cloudtrail-trail","LogFileValidationEnabled": false,"HasCustomEventSelectors": false,"HasInsightSelectors": false,"IsOrganizationTrail": false}}
In this Answer, we learned about the AWS CloudTrail service, how to set up a trail for tracking specific services, and how to enable it on our AWS account for the purpose of auditing and compliance.
Free Resources
