An Introduction to Amazon CloudTrail
Amazon CloudTrail records a history of all API calls that occur in your AWS account. Whether operations are performed using the AWS Management Console, AWS CLI, or any of the various SDKs, Amazon CloudTrail will record details about the API calls.
Recording of action data is important for the following reasons:
- Security - Was there unauthorized access?
- Governance - Know what your employees are doing, and track responsibility.
- Tracking third-party services - If you allow third-party services to access your AWS account, know what they are doing.
- Debugging and diagnosis - If a problem occurred, knowing the source of an API call may help diagnose it.
What Will CloudTrail Record?
Amazon CloudTrail will record many details about the actions that are executed, including:
- The action that was executed, TerminateInstances for example,
- The time at which the action was executed,
- The AWS credentials that executed the action, and
- The resources that the action affected.
- Actions that both alter your AWS account (create, modify, delete) or simply report on your AWS account (describe, list) will be recorded.
For example, if you created an EBS snapshot, “snap-12345678”, of an EBS volume using the AWS CLI:
aws cli create-snapshot –volume-id vol-12345678
then CloudTrail will record this with the following details:
- An action name of “CreateSnapshot”,
- Resources of “vol-12345678” and “snap-12345678”,
- The date of execution,
- And the credentials the command line was using at the time.
- All of the history is recorded to a bucket in Amazon S3. In Amazon S3, records are stored as JSON grouped together by time. Each object in S3 represents a period of 5 minutes and includes all actions executed in that 5-minute time period.
How Can I Enable CloudTrail?
By default, CloudTrail is disabled in all regions. It must be enabled in each region you want to enable it in.
Tip: You should enable CloudTrail in all regions, even regions that you are not intending to use. You cannot retroactively enable CloudTrail to diagnose past events. So enable CloudTrail before you need it.
To enable CloudTrail, navigate to the CloudTrail management console and add trails for all regions. For each trail, you can create a new S3 bucket or reuse an existing bucket. If you choose, you can store all CloudTrail data for all regions in the same bucket.
When AWS announces a new region, return to the CloudTrail management console and add a new trail for the new region.
Tip: Under “Advanced” options, CloudTrail asks you whether the log files should be encrypted (yes/no). However, even if you choose “no”, the log files will still be encrypted with S3’s Server-Side AES 256 encryption. If you say “yes”, then CloudTrail will use a KMS key to encrypt the data, which will cost you extra for using the KMS key. So the distinction is not whether to encrypt or not, but instead whether to use KMS keys or not.
How Can I View the CloudTrail History?
You can use the AWS Management Console to view the logs. However, the AWS Management Console will only list actions that alter your AWS account, such as “Create”, “Modify”, “Delete” API calls. If you need to search or view any of the read-only calls, then you must traverse the data in Amazon S3 yourself, or use Amazon CloudWatch Logs.
The console allows you to filter results by the following fields:
- Time range,
- User name,
- Resource type,
- Resource name,
- Event ID.
For example, if you want to find all actions that occurred on an EC2 instance, then you can filter by resource name on the EC2 instance ID.
The “User name” column is a bit misleading. If you were using an IAM user (AWS Management Console or access keys), then that user’s user name will appear in this column. However, if an IAM role (third-party IAM role, EC2 instance profile, etc.) were used, then the role’s name is not shown. Instead, the Session ID used during the “sts:AssumeRole” is shown.
Tip: CloudTrail events take a little while to appear. You should allow up to 30 minutes from the time that the action was executed to the time that the events appear in the CloudTrail console.
There are also third-party tools that can examine, report on, and generate alerts for your CloudTrail trails. One such tool is CloudCheckr.
Using CloudTrail With Skeddly
As I mentioned before, enable CloudTrail in all regions now, before you actually need it.
Skeddly includes full logs of all Skeddly actions that are executed. Using our logs, you can see all of the Amazon API actions that were executed as part of your Skeddly action.
You can also view all activity executed by Skeddly through CloudTrail as well.
If you are using an IAM role to allow Skeddly to act on your AWS account (which you should be using), then you will notice user names in CloudTrail that start with “skeddly-“. The rest of the user name is a unique sequence of characters used to group AWS actions together within the Skeddly action.
Currently, the CloudTrail console only allows exact matches when filtering by user names. We are hoping that AWS will add the ability to include partial matches of user names, which will make searching for Skeddly events easier.
Example
For example, if you are using Skeddly to start and stop your EC2 instance, you will see “StartInstance” and “StopInstance” events in CloudTrail. For API actions associated with your Skeddly action, you will see the AWS credentials you gave to Skeddly for these events.
If you are noticing that your EC2 instance is starting or stopping outside of the desired Skeddly schedule, use CloudTrail to determine how this is happening. You can filter the CloudTrail events by resource name, using the EC2 instance ID of your EC2 instance. You’ll get a filtered list of events showing the credentials that started and/or stopped your EC2 instance. Here you should see what is operating on your EC2 instance aside from Skeddly.
Final Thoughts
CloudTrail is like insurance in that you need to plan ahead. If it’s not available when you need it, it won’t help you.
So plan ahead, enable CloudTrail now in all regions.
About Skeddly
Skeddly is the leading scheduling service for your AWS account. Using Skeddly, you can:
- Reduce your AWS costs,
- Schedule snapshots and images, and
- Automate many DevOps and IT tasks.
Sign-up for our 30 day free trial or sign-in to your Skeddly account to get started.