Creating Your First Trail
By default, CloudTrail records the last 90 days of events for AWS accounts. However, the default events do not support triggering alerts, event metrics, and long term storage. You need to create a Trail for that. In this Lab Step, you will create your first Trail. When configuring your first Trail, although you can point to an existing S3 bucket and IAM policy for access, it is simpler and generally recommended that you let AWS create them for you during the configuration process. The instructions below will guide you through doing that.
1. In the AWS Management Console search bar, enter CloudTrail, and click the CloudTrail result under Services:
Warning: If the CloudTrail UI differs from the one you see in this lab, click on the Try out the new console link in the upper section of the CloudTrail console.
The CloudTrail management console will load.
You may see blue warning notifications that say you aren't allowed to create a Cloud Trail for an organization. In this lab, you will create a Cloud Trail for the AWS account, blue warning notifications you see as you fill out the CloudTrail creation form can be safely ignored.
2. On the left menu, click on Trails.
3. Click on the Create trail button:
The Create Trail page is displayed:
4. Enter the following information to complete the form:
- Trail name: JohnDoeTrail (The John Doe Trail is not quite as nice as the famous John Muir Trail in the Sierra mountain range of northern California... but it will due for our lab purposes!)
- Enable for all accounts in my organization: Unchecked
- Storage location: Create new S3 bucket (default. Although you can point to an existing S3 bucket, let CloudTrail create one for you and apply the appropriate IAM policy to it.)
- Trail log bucket and folder: calabs-bucket-unique_number/prefix (S3 bucket names must be unique, hence you will need to append a number to "calabs-bucket" in order to guarantee a unique bucket name.)
- Log file SSE-KMS encryption: Unchecked
5. Click on Next and fill the form:
- Event type: Check Management events
6. Click Next, review the settings and click on Create trail when ready.
Note: If the S3 bucket entered previously is not unique you will be warned. Append a unique number (calabs-bucket-7 in our example) and then click Create trail again. In some instances (depending on previous UI flows and browser cache) you may see a Turn On button instead of a Create button.
You should see the new Trail in the Console:
Your first Trail has been created, along with the S3 bucket it will deliver logs to. The path in S3 to a specific CloudTrail object adheres to the following pattern:
7. Click on the name of your Trail. This opens up a Configuration page for your new Trail:
Don't change anything just yet, but you should notice the following important points:
- Logging has been turned ON.
- Expand Storage location.
- You should see the S3 bucket name, Log file prefix and other configuration settings.
- Last log file delivered. This should get updated very shortly after Trail creation. If you don't see a date/timestamp entry, refresh your browser. Note: Until you see a date/time stamp here, you will not see any JSON files in the S3 bucket CloudTrail delivers logs to. Refresh a few times over a 2-3 minute period before going to the next instruction.
8. Navigate to Services > S3 > UniqueS3bucketName. You will see johndoe as a folder within the S3 bucket that was created when you turned on CloudTrail. Again, this can help with respect to organization if you have many Trails.
9. Click johndoe and then AWSLogs, then navigate further down the organizational structure. After the unique account number, then CloudTrail, you will see the various supported regions from ap-northeast to ca-central to us-east and us-west. Recall this is in accord with the default Apply to all regions option configured earlier. In our example, the navigation thus far is: All Buckets > calabs-bucket-7 > johndoe > AWSLogs > 909421474448 > CloudTrail.
- It may take a few minutes and browser refreshes before you can navigate further down the structure. Eventually CloudTrail will transfer log files even with little to no use in the Console. (For example, DescribeTrails and ListBuckets events.) Five minutes is the longest you should have to wait.
- If you see CloudTrail-digest instead of just CloudTrail, that means you left the Enable log file validation setting on. That setting is not required or used in this lab. Although the lab has not been tested with that feature on, it should still work.
10. Select a region and navigate all the way until you see one or more compressed JSON files (*.json.gz). For example, continuing the path from the previous step in the us-west-2 region:
... CloudTrail > us-west-2 > YYYY > MM > DD. As you can see, the convention includes:
- Region name: us-west-2
- Year: YYYY will be the current year
- Month: MM will be the current month
- Day: DD will be the current day
11. Look at the name of a JSON log file and notice the file naming convention includes:
- Account ID
- Date stamp
- Unique string (generated by AWS)
- .json.gz file name extension (JSON file type, compressed via gzip)
12. Click on the name of a JSON log file to open its Overview tab and then click the Open button:
The log file is opened in a new browser tab. JSON similar to the following is displayed in the browser:
Even though this is about the shortest JSON record you will see in CloudTrail (some are very long!) it is still difficult to parse. The example above is a DescribeTrails event type. Next you will learn a way to view JSON in a more readable and searchable fashion.
13. Open a new browser tab and navigate to jsoneditoronline (there are several software packages, browser plug-ins and websites for browsing JSON, this is just one of them that works well and requires no configuration.).
14. From the CloudTrail you opened, select all and copy the JSON (e.g. Control-A then Control-C). Paste that into the left window of the JSON Editor Online. Click the right-arrow to copy the JSON to the code editor on the right. Now you can traverse the JSON in order to better understand the content of the file:
The search field can be very helpful when you know the event you are looking for.
15. Click on the left arrow between the panes in order to format the JSON to be more readable on the left as well:
You have turned on and configured CloudTrail so that it can start building a history of AWS API calls and other key events for your account. You have learned about the organization within S3, and navigated the S3 bucket structure used by CloudTrail to deliver its logs to. Sometimes it may be helpful to view CloudTrail log entries directly from S3, so you learned how to view them in your browser. If that is unreadable in it's native format, you used a handy website to view and traverse raw JSON files.
Check if the Trail has been created