Amazon AWS AWS

7 AWS CloudTrail Best Practices with Console and CLI Examples

In AWS, whether you perform an motion from Console, use AWS CLI, use AWS SDK, or when a AWS service does an motion in your behalf, all of those API actions are logged in AWS CloudTrail.

This tutorials explains the following 7 essential AWS Cloudtrail greatest practices with examples on the way to do it from both Console and using AWS CloudTrail CLI command.

  1. Allow CloudTrail in All Areas
  2. Encrypt CloudTrail Logs utilizing KMS
  3. Set Key Policy for Encrypted CloudTrail Logs
  4. Allow CloudTrail Log file Validation
  5. Send CloudTrail Logs to Cloudwatch
  6. For Multi-Account: Ship CloudTrail logs to Centralized S3 bucket
  7. For Multi-Account: Enable CloudTrail at Group Degree

1. Allow CloudTrail in All Areas

Once you create a CloudTrail you have got the choice of making it for one region, or for all the regions in your AWS account.

Even if you end up putting your workloads in just one area, as a greatest apply you must still allow cloudtrail in ALL AWS regions. This manner, when an activity happens in some other area, aside from your main working region, you’ll be able to monitor them and take action immediately.

From Console, set the “Apply trail to all regions” option to “Yes” as shown under.

From CLI, if you end up making a cloudtrail, use the –is-multi-region-trail choice as proven under:

aws cloudtrail create-trail –identify thegeekstuff
–s3-bucket-name tgs-logs
–is-multi-region-trail

To handle your S3 bucket, discuss with this: 28 Essential AWS S3 CLI Command Examples to Manage Buckets and Objects

The next is the output of the above command. In the following output, notice how it says IsMultiRegionTrail as true.

“IncludeGlobalServiceEvents”: true,
“Name”: “thegeekstuff”,
“TrailARN”: “arn:aws:cloudtrail:us-east-1:111111111111:trail/thegeekstuff”,
“LogFileValidationEnabled”: false,
“IsMultiRegionTrail”: true,
“S3BucketName”: “tgs-logs”

2. Encrypt CloudTrail Logs utilizing KMS

By default, the cloudtrail logs which are delivered are encrypted using Amazon S3-managed encryption keys (SSE-S3). SSE stands for server aspect encryption.

Nevertheless you possibly can change this to encrypt log information with AWS Key Administration Service (SSE-KMS).

From Console, when creating a cloudtrail:

  • Encrypt log information with SSE-KMS: Set this feature to “Yes”. If you set this feature, you’ll get subsequent two options.
  • Create a new KMS key: Set this to “Yes” to create a brand new KMS key. This can routinely create applicable KMS key coverage for cloudtrail to permit access.
  • KMS key: Give the identify of the important thing alias that must be given to the brand new KMS key that cloudtrail creates.

[Encrypt Cloudtrail Logs]

From CLI, use the –kms-key-id to specify the SSE-KMS key-id as shown under.

aws cloudtrail create-trail –identify thegeekstuff
–s3-bucket-name tgs-logs
–is-multi-region-trail
–enable-log-file-validation
–kms-key-id alias/thegeekstuff/key

Once you specify the kms-key-id, the following are attainable formats which you could specify for this feature:

  • alias/YourKeyAliasName
  • arn:aws:kms:us-east-2:111111111111:alias/YourKeyAliasName
  • arn:aws:kms:us-east-2:111111111111:key/11111111-2222-1111-2222-111111111111
  • 11111111-2222-1111-2222-111111111111

When specifying alias for ksm-key-id, in case you don’t use the prefix “alias”, you then’ll get the next error message:

An error occurred (InvalidKmsKeyIdException) when calling the CreateTrail operation: KMS key ID thegeekstuff/key is just not a legitimate format.

Also, if applicable S3 bucket coverage shouldn’t be set, you then’ll get the next error message.

An error occurred (InsufficientEncryptionPolicyException) when calling the CreateTrail operation: Inadequate permissions to entry S3 bucket tgs-logs or KMS key arn:aws:kms:us-east-1:111111111111:alias/thegeekstuff/key.

three. Set Key Coverage for Encrypted CloudTrail Logs

In case you are using SSE-KMS to encrypt your cloudtrial logs, be certain that your KMS key policy has the following three SIDs.

KMS Key Policy SID 1: Permit CloudTrail to encrypt logs

“Sid”: “Allow CloudTrail to encrypt logs”,
“Effect”: “Allow”,
“Principal”:
“Service”: “cloudtrail.amazonaws.com”
,
“Action”: “kms:GenerateDataKey*”,
“Resource”: “*”,
“Condition”:
“StringLike”:
“kms:EncryptionContext:aws:cloudtrail:arn”: [
“arn:aws:cloudtrail:*:111111111111:trail/*”
]

KMS Key Coverage SID 2: Allow CloudTrail log decrypt permissions

“Sid”: “Enable CloudTrail log decrypt permissions”,
“Effect”: “Allow”,
“Principal”:
“AWS”: “arn:aws:iam::111111111111:user/ramesh”
,
“Action”: “kms:Decrypt”,
“Resource”: “*”,
“Condition”:
“Null”:
“kms:EncryptionContext:aws:cloudtrail:arn”: “false”

Word: Within the above, change the username accordingly. Should you favor to make use of a task, then within the Principal section, as an alternative of consumer, use the next:
arn:aws:iam::11111111111:position/MyCloudTrailReadRole

KMS Key Coverage SID three: CloudTrail to explain CMK properties

“Sid”: “Allow CloudTrail access”,
“Effect”: “Allow”,
“Principal”:
“Service”: “cloudtrail.amazonaws.com”
,
“Action”: “kms:DescribeKey”,
“Resource”: “*”

4. Allow CloudTrail Log file Validation

Aside from delivering the cloudtrail occasions to your S3 bucket, it’s also possible to instruct cloudtrail to create a digest file in your log information and ship them to the identical S3 bucket.

You’ll be able to then use the digest file to validate your cloudtrail log file integrity. i.e You can also make positive the cloudtrail log information aren’t tampered with after it was delivered to your s3 bucket. The log file validation is completed using SHA-256 for hashing and SHA-256 with RSA for digital signing.

From Console, whereas creating the cloudtrail, beneath Storage location part, set the “Enable log file validation” to “Yes” as proven under.

[Cloudtrail Validate Logs]

From CLI, if you create cloudtrail, use the enable-log-file-validation choice as shown under.

aws cloudtrail create-trail –identify thegeekstuff
–s3-bucket-name tgs-logs
–is-multi-region-trail
–enable-log-file-validation

The next is the output of the above command. In the following output, discover how it says LogFileValidationEnabled as true.

“IncludeGlobalServiceEvents”: true,
“Name”: “thegeekstuff”,
“TrailARN”: “arn:aws:cloudtrail:us-east-1:111111111111:trail/thegeekstuff”,
“LogFileValidationEnabled”: true,
“IsMultiRegionTrail”: true,
“S3BucketName”: “tgs-logs”

5. Send CloudTrail Logs to Cloudwatch

You can even ship your cloudtrail occasions to cloudwatch logs for monitoring.

From Console, select an present cloudtrail, beneath “Cloudwatch Logs” section, click on on “Configure”. It will ask you to enter the identify of the log group. If the given log group already exists, it should use that. If not, it’ll create a new log group.

[Cloudtrail to Cloudwatch Logs]

From CLI, use the cloud-watch-logs-log-group-arn and cloud-watch-logs-role-arn choice as shown under to enable cloudwatch logs for cloudtrail.

aws cloudtrail create-trail –identify thegeekstuff
–s3-bucket-name tgs-logs
–is-multi-region-trail
–enable-log-file-validation
–cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:111111111111:log-group:/thegeekstuff/cloudtrail:*
–cloud-watch-logs-role-arn arn:aws:iam::111111111111:position/CloudTrail_CloudWatchLogs_Role

For those who specify only the log-group-arn with out logs-role-arn, you’ll get the next error message.

An error occurred (InvalidCloudWatchLogsRoleArnException) when calling the CreateTrail operation: You have to specify a task ARN as well as a log group.

Additionally, ensure that the given position has applicable permission for cloudtrail to entry cloudwatch logs. If not, you’ll get the following error message.

An error occurred (InvalidCloudWatchLogsLogGroupArnException) when calling the CreateTrail operation: Entry denied. Examine the permissions in your position.

6. For Multi-Account: Ship CloudTrail logs to Centralized S3 bucket

When you will have multiple AWS accounts, sending cloudtrail logs to a S3 bucket within the particular person accounts may create some operational challenges. You need a strategy to centrally handle and monitor cloudtrail logs from all your accounts.

For this, you’ll be able to enable cloudtrail in all of your accounts, but ship the cloudtrail logs to a centralized S3 bucket in a single account. You possibly can create this centralized S3 bucket in a dedicated logging account where all other accounts will send their cloudtrail logs.

From Console, when creating cloudtrail, underneath “Storage location” settings, set “Create a new S3 bucket” to “No”. For “S3 bucket”, specify the identify of the centralized S3 bucket that is in a unique account (i.e from your logging account where that centralized S3 bucket exist)

[Cloudtrail Centralized S3 Bucket]

From CLI, while creating cloudtrail, identical to how we did earlier, specify the identify of the S3 bucket here.

aws cloudtrail create-trail –identify thegeekstuff
–s3-bucket-name thegeekstuff-cloudtrail-logs
–is-multi-region-trail
–enable-log-file-validation

For this to work correctly, in the centralized S3 bucket, be sure to set the next bucket policy.

“Version”: “2012-10-17”,
“Statement”: [

“Sid”: “BucketAclForCloudTrail”,
“Effect”: “Allow”,
“Principal”:
“Service”: “cloudtrail.amazonaws.com”
,
“Action”: “s3:GetBucketAcl”,
“Resource”: “arn:aws:s3:::thegeekstuff-cloudtrail-logs”
,

“Sid”: “WritePermissionForCloudTrail”,
“Effect”: “Allow”,
“Principal”:
“Service”: “cloudtrail.amazonaws.com”
,
“Action”: “s3:PutObject”,
“Resource”: [
“arn:aws:s3:::thegeekstuff-cloudtrail-logs/AWSLogs/111111111111/*”,
“arn:aws:s3:::thegeekstuff-cloudtrail-logs/AWSLogs/222222222222/*”
],
“Condition”:
“StringEquals”:
“s3:x-amz-acl”: “bucket-owner-full-control”

]

The above signifies that cloudtrail from two accounts (111111111111 and 222222222222) can send their cloudtrail logs to this centralized S3 bucket.

If you want to add one other account (3333333333333), modify the above policy and add new account to the Resource section within the WritePermissionForCloudTrail SID as shown under.

“Resource”: [
“arn:aws:s3:::thegeekstuff-cloudtrail-logs/AWSLogs/111111111111/*”,
“arn:aws:s3:::thegeekstuff-cloudtrail-logs/AWSLogs/222222222222/*”,
“arn:aws:s3:::thegeekstuff-cloudtrail-logs/AWSLogs/3333333333333/*”
],

7. For Multi-Account: Allow CloudTrail at Organization Degree

In case you are making a cloudtrail in your master account where you might have AWS organizations enabled, you even have the option to enable cloudtrail at your organization degree.

When you select this feature, this can log cloudtrail occasions for all of your AWS accounts that is underneath that organization.

From Console, on your master account the place AWS organization is enabled, while making a cloudtrail, set the “Apply trail to my organization” option to “Yes” as shown under.

[Cloudtrail Apply to Organizations]

From CLI, while creating the cloudtrail, specify the is-organization-trail choice as shown under.

aws cloudtrail create-trail –identify thegeekstuff
–s3-bucket-name tgs-logs
–is-multi-region-trail
–is-organization-trail
–enable-log-file-validation

You might get the next error message for the above command in case you are using a older version of aws-cli. For instance, aws-cli/1.16.6 provides the following error message:

Unknown options: –is-organization-trail

$ aws –model
aws-cli/1.16.6 Python/2.7.10 Darwin/16.7.zero botocore/1.11.6

To keep away from that, upgrade your aws cli to the newest version. For example, aws-cli/1.16.139 and above won’t give the above error message.

$ aws –version
aws-cli/1.16.139 Python/2.7.10 Darwin/16.7.0 botocore/1.12.129

In the event you loved this text, you may also like..