You can use Event history to see Management Events from the last 90 days. You can download and analyse these 90 days’ worth of historical data of your account without any additional cost. CloudTrail Lake is also available with 30 day free trial period in which you can ingest and scan 5GB data and store data at no additional charge.

If you want more in-depth information, you can get Cloudtrail to use the CloudWatch logs log group or send the log files to Amazon Simple Storage Service (Amazon S3).

When you set up CloudTrail to use CloudWatch Logs events, you can query audit logs using CloudWatch Log Insights. This feature is quite powerful, and you can query a lot of detailed information from this.

These are examples of how you can query CloudWatch Log Insights.

Filter to find out who logged into your AWS account -
| filter eventSource = "signin.amazonaws.com"

Filter to find out which IAM policies have been changed, who modified -
|filter eventSource = "iam.amazonaws.com" and (eventName = "AttachGroupPolicy" or eventName = "AttachRolePolicy")

If you have CloudTrail logs stored in S3, Athena can be used to query the logs using SQL. Athena is serverless. It is a fast and powerful way of querying a large volume of data without having to set up or manage servers or data warehouses. Athena uses S3, and AWS Glue data catalogue, so keep in mind that these charges will apply based on your usage.

By default, CloudTrail events log files are encrypted with Amazon S3 Server-Side Encryption (SSE), but there is also an option to encrypt the logs using AWS Key Management Service (AWS KMS).

One thing to note is that by default AWS CloudTrail does not capture all data events, it only captures management or control plane events and some data events, so if you want to include them, you will need to set that up first.

However, if you do so, you should also be conscious of the extensive costs that data events might bring. You can enable data events, but please be aware of the costs. The size of data plus the cost of the query may be expensive depending on the data.

With CloudTrail, you can also choose to have either a single account trail or an organisation-wide trail. It depends on your infrastructure design, but it makes sense to have an organisation-wide trail. You don’t need to have CloudTrail trails in each account. One of the benefits of having an Organisation wide trail is that the member accounts cannot remove or deactivate the trail in the management account, thus integrity.

You also want to validate CloudTrail log file integrity. One of the recommended set-ups is to have a separate AWS account to send the CloudTrail logs to AWS S3. CloudTrail log file integrity validation is built using industry-standard algorithms to determine if the logs were modified or changed after delivery, and it is crucial for security and forensic investigations.

The snippet below shows part of the JSON record for the SwitchRole Event:

{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "XXXXXXXXXXXXXXXXXXXX",
"arn": "arn:aws:iam::1234567890:user/Administrator",
"accountId": "1234567890",
"accessKeyId": "XXXXXXXXXXXXXXXX",
"userName": "Administrator",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-03-22T03:03:44Z"
}
},
"invokedBy": "signin.amazonaws.com"
},
"eventTime": "2019-03-22T03:04:34Z",
"eventSource": "rds.amazonaws.com",
"eventName": "DeleteDBInstance",
"awsRegion": "us-east-1",
"sourceIPAddress": "12.34.56.78",
"userAgent": "signin.amazonaws.com",
"requestParameters": {
"dBInstanceIdentifier": "mysql-db",
"skipFinalSnapshot": true,
"deleteAutomatedBackups": true
},

From this snapshot, we can tell that userAA deleted database1 instance from ap-southeast-2 at a particular date and time. Also, the user logs into the console without using Multi-Factor Authentication (MFA).

You can get this information from CloudTrail events to analyse and audit your account’s security.

CloudTrail can help your AWS environment compliant with current standards, provide visibility to your security posture and keep the log records for future security analysis.

We at Westcon always recommend that our partners have this set up correctly, as we have seen this tool as valuable in security incidents. We have highly experienced AWS Certified Professionals who can assist you with your AWS infrastructure, and help you recommend, analyse and secure your workloads. If you have any questions or concerns about AWS cloud environment security, please do not hesitate to contact the Partner Success centre at

NZ Cloud Sales:    +64 9 477 7211              Email:  [email protected]
AU Cloud Sales:    +61 2 8412 1212              Email:  [email protected]
SG Cloud Sales:    +65 6424 0570              Email:   [email protected]
ID  Cloud Sales:    +62 21 8062 1470          Email:   [email protected]