{"id":75965,"date":"2020-09-25T17:00:31","date_gmt":"2020-09-25T14:00:31","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-use-aws-cloudtrail-to-monitor-account-activity-cloudsavvy-it\/"},"modified":"2020-09-25T17:00:31","modified_gmt":"2020-09-25T14:00:31","slug":"how-to-use-aws-cloudtrail-to-monitor-account-activity-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-use-aws-cloudtrail-to-monitor-account-activity-cloudsavvy-it\/","title":{"rendered":"#How to Use AWS CloudTrail to Monitor Account Activity \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3d8764b8fc6\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3d8764b8fc6\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-aws-cloudtrail-to-monitor-account-activity-cloudsavvy-it\/#Using_CloudTrail\" >Using CloudTrail<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-aws-cloudtrail-to-monitor-account-activity-cloudsavvy-it\/#Creating_a_Trail\" >Creating a Trail<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Use AWS CloudTrail to Monitor Account Activity \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-5269\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/0eb3564906a864c93706b30eaca199af\/p\/uploads\/2020\/06\/e601b806.png\" alt=\"AWS Logo\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>CloudTrail is an auditing, compliance monitoring, and governance tool designed to watch over your AWS account history and to keep detailed logs of all events. You can use this event history to simplify security analysis and to detect unusual activity in your account.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Using_CloudTrail\"><\/span>Using CloudTrail<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You can use CloudTrail to monitor the last 90 days free of charge. However, if you want to keep extended logs, you need to pay for the associated S3 storage as well as a <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/aws.amazon.com\/cloudtrail\/pricing\/?tag=reviewgeek-20\">small fee per 100,000 events logged<\/a>. Still, it\u2019s relatively cheap, and it doesn\u2019t hurt to get started with it.<\/p>\n<p>CloudTrail automatically logs the last 90 days, so you\u2019ll be able to head over to the <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com?u=https%3A%2F%2Fconsole.aws.amazon.com%2Fcloudtrail%2Fhome&amp;key=204a528a336ede4177fff0d84a044482\">CloudTrail Console<\/a> and view the latest logs in your account. On the home screen, you\u2019ll see the most recent events:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-4285 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/1554cf43e68c6d2f9701facec69a827a\/p\/uploads\/2020\/03\/e34ad7ab.png\" alt=\"cloudtrail dashboard\" width=\"700\" height=\"243\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Under \u201cEvent History\u201d in the sidebar, you\u2019ll be able to view the full list of events, in chronological order.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4286\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/ca20964228867fe573710135fbe9dbc1\/p\/uploads\/2020\/03\/ac121240.png\" alt=\"cloudtrail event log\" width=\"700\" height=\"369\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>This is a lot of data, so you\u2019ll probably want to filter for just whatever you\u2019re looking for. If you\u2019re auditing specific employee accounts, you can filter by username or AWS access key, or other factors such as source IP address and resource types. You can also focus in on specific time ranges.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"imgchk9 alignnone wp-image-4291 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/ed2b2283a11f6eef6a3b6de6cb183639\/p\/uploads\/2020\/03\/1a1d25aa.png\" alt=\"Filter by username, AWS access key, or another factor \" width=\"582\" height=\"286\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>If you click on an event, you can view all the data collected for that event. Some are simple, like \u201cConsoleLogin,\u201d which tracks login times for different users. Others are more specific, and will show more details about the underlying API action.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"imgchk9 alignnone wp-image-4290 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/1a692de2b6f26853ff52d1b25ee2b750\/p\/uploads\/2020\/03\/b4c9af21.png\" alt=\"Click on an event, you can view all the data collected for it\" width=\"700\" height=\"238\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You can view the full JSON data for the event with the \u201cView Event\u201d button.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Creating_a_Trail\"><\/span>Creating a Trail<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you want to keep records for longer than 90 days, or keep extended logs for S3 and Lambda data events, you can create a Trail. Keep in mind that you will incur data charges for S3 log storage, as well as charges per 100,000 logged events.<\/p>\n<p>From \u201cTrails\u201d in the sidebar, create a new trail. You have the option of using this trail for every region, as well as <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lying it to every account in an AWS Organization. You can also select which kinds of events to log, as well as enabling CloudTrail Insights for this trail.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"imgchk9 alignnone wp-image-4287 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/9545fbca0211f52166ea35fc9c87e8e0\/p\/uploads\/2020\/03\/c5d6b1c4.png\" alt=\"Create a new trail to keep records\" width=\"700\" height=\"341\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The next section is \u201cData Events,\u201d which can be used to keep extended logs on S3 buckets or Lambda functions. For S3, CloudTrail will log bucket-level operations, such as PutObject. For Lambda, CloudTrail will log any invocation of the given Lambda function. You can enable this for all buckets, or specify one by ARN.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4288\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/72082c975940437c31951b33b67bdd6b\/p\/uploads\/2020\/03\/648c3cb7.png\" alt=\"data logs\" width=\"700\" height=\"217\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Finally, you\u2019ll need a new or existing bucket in which to keep the events. You can use this to keep track of how much data your trail is using.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4289\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/3813d61c14d4abbdc9cb5289ffb717a2\/p\/uploads\/2020\/03\/ca101a56.png\" alt=\"give the bucket a name\" width=\"684\" height=\"244\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Events logged by the trail will remain in the event history indefinitely. With a trail, you can activate CloudTrail Insights from the \u201cInsights\u201d tab in the sidebar:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"imgchk9 alignnone wp-image-4292 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/22d88cdad37f1e4a7a3516dda87ec02c\/p\/uploads\/2020\/03\/5e6775b5.png\" alt=\"Without an activated trail, use CloudTrail Insights for records\" width=\"700\" height=\"294\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>This will take up to 36 hours to analyze your trail, and once it\u2019s done, you\u2019ll be able to browse through the findings.<\/p>\n<p>If you want, you can also set up CloudTrail to <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com?u=https%3A%2F%2Fdocs.aws.amazon.com%2Fawscloudtrail%2Flatest%2Fuserguide%2Fsend-cloudtrail-events-to-cloudwatch-logs.html&amp;key=204a528a336ede4177fff0d84a044482\">send events to CloudWatch Logs<\/a>, or <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/blog.paco.to\/2019\/cloudtrail-to-elasticsearch\/\">use it with Elasticsearch for more detailed monitoring<\/a>.\n<\/div>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener noreferrer\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/4266\/how-to-use-aws-cloudtrail-to-monitor-account-activity\/\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Use AWS CloudTrail to Monitor Account Activity \u2013 CloudSavvy IT&#8221; CloudTrail is an auditing, compliance monitoring, and governance tool designed to watch over your AWS account history and to keep detailed logs of all events. You can use this event history to simplify security analysis and to detect unusual activity in your account&#8230;.<\/p>\n","protected":false},"author":1,"featured_media":75966,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/06\/e601b806.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-75965","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/75965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=75965"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/75965\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/75966"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=75965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=75965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=75965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}