Creating a CloudTrail trail integrated with CloudWatch Logs

Introduction

By default, AWS records the last 90 days of events within an account in the CloudTrail event history. However, the default events do not support triggering alerts, event metrics, and long-term storage. 

In this lab step, you will configure a CloudTrail trail by creating an Amazon S3 bucket for log storage, and utilizing an existing IAM role to grant CloudTrail the necessary permissions. You will also configure CloudWatch logs on your trail to be able to monitor your trail logs. 

Instructions

1. In the AWS Management Console search bar, enter CloudTrail, and click the CloudTrail result under Services:

The CloudTrail management console will load.

Notification banners at the top of the console page can be safely ignored.

2. On the right-hand side, click Create trail:

A create wizard will load, beginning with the Choose trail attributes step.

3. In the General details section, enter the following information to complete the form:

• Trail name: JohnDoeTrail
• Storage location: Select Create new S3 bucket 
• Trail log bucket and folder: calabs-bucket-unique_number/johndoe. Replace unique_number with random characters or numbers.
• Log file SSE-KMS encryption: Uncheck this box to disable
• Log file validation: Uncheck this box to disable

4. Configure the following settings in the CloudWatch Logs section:

• CloudWatch Logs: Check the box next to Enabled
• Log group: Ensure New is selected 
• Log group name: Enter CloudTrail/CWlogs
• IAM Role: Select Existing
• Role name: Select the CloudTrailRole from the dropdown menu

The CloudTrail events will be logged to a log stream within the CloudTrail/CWlogs log group. 

The events are accessible as raw JSON files within the Amazon S3 bucket that will be created for you during this process. One benefit of accessing events using CloudWatch logs is the ability to view and traverse the entire log event from the CloudWatch console.

5. At the bottom of the page, click Next.

6. On the Choose log events page, ensure that the Management events option is the only Event type selected:

The API activity recorded for management events includes both reads and write operations. Read operations include management events that involve listing or describing resources. Write operations include creating, updating, or deleting resources.

All other options on this step should be left at their defaults.

7. At the bottom of the page, click Next.

8. Click Create trail.

Note: The S3 bucket name must be globally unique. To satisfy the unique requirement, append another set of numbers, then click Create trail again.

You will see your newly created trail listed in the Trails table:

Your first trail has been created, along with the S3 bucket it will deliver logs to. The path in S3 to a specific CloudTrail log file will adhere to the following pattern:

bucket_name/prefix_name/AWSLogs/Account ID/CloudTrail/region/YYYY/MM/DD/file_name.json.gz

The CloudTrail log group has also been created as a part of this process. 

9. Click the JohnDoeTrail name to open the trail's details page:

Notice the following details:

• Trail logging: Logging will be displayed in green, signifying that logging is currently enabled
• Trail log location: This link will redirect you to the S3 bucket location of the event logs for this account
• Multi-region trail: A multi-region trail logs events across all regions and stores them in folders that match the region name
• Last log file delivered: A timestamp will appear after CloudTrail has recorded its first trail log event

Note: CloudTrail can take up to 5 minutes to deliver the log files to the S3 bucket. Continue to refresh this page until a timestamp is present below Last log file delivered.

10. Right-click the URL link below Trail log location to open the S3 console in a new browser tab:

Notice the directory breadcrumbs displayed at the top of the page. Your account number will be different:

11. In the Objects table, click the CloudTrail/ folder name, followed by us-west-2/:

You will encounter subfolders that represent the year, month, and day of the log events.

AWS CloudTrail is not a real-time service. Account event logs are delivered every 5 minutes when the trail is active, with up a potential delay of up to 15 minutes.

If the CloudTrail/ directory does not contain any objects, you will need to wait a few more minutes for the logs to appear. 

Refresh the S3 CloudTrail directory list until a directory for us-west-2 appears:

12. Continue to click into each subfolder until you reach the latest log files that end with json.gz:

13. Once you have accessed a specific log event file, click Open to access the JSON log in a new browser tab:

Depending on how many events have been logged since your trail was created, the JSON log will look similar to the following:

Copy code
{"Records":[{"eventVersion":"1.05","userIdentity":{"type":"Root","principalId":"909421474448","arn":"arn:aws:iam::909421474448:root","accountId":"909421474448","accessKeyId":"ASIAJU6Y7A3P4LWQ6NQQ","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2017-04-05T20:15:57Z"}}},"eventTime":"2017-04-05T21:01:29Z","eventSource":"cloudtrail.amazonaws.com","eventName":"DescribeTrails","awsRegion":"us-west-1","sourceIPAddress":"104.220.54.206","userAgent":"console.amazonaws.com","requestParameters":{"trailNameList":[]},"responseElements":null,"requestID":"0a1664b9-1a43-11e7-a580-ed95dd477fe2","eventID":"c50c3c15-f49b-4380-a995-610c46916be1","eventType":"AwsApiCall","recipientAccountId":"909421474448"}]}

Opening this file in a browser window does not allow you to traverse the JSON and access certain event attributes. In the next lab step, you will view and inspect a CloudTrail event log in the CloudWatch console.

Summary

In this lab step, you created a CloudTrail trail configured with CloudWatch Logs enabled to monitor your trail logs.