Creating Your First Trail
By default, CloudTrail records the last 90 days of events for AWS accounts. However, the default events do not support triggering alerts, event metrics, and long term storage. You need to create a Trail for that. In this Lab Step, you will create your first Trail. When configuring your first Trail, although you can point to an existing S3 bucket and IAM policy for access, it is simpler and generally recommended that you let AWS create them for you during the configuration process. The instructions below will guide you through doing that.
1. In the AWS Management Console search bar, enter CloudTrail, and click the CloudTrail result under Services:
The CloudTrail management console will load.
You may see blue warning notifications that say you aren't allowed to create a Cloud Trail for an organization. In this lab, you will create a Cloud Trail for the AWS account, blue warning notifications you see as you fill out the CloudTrail creation form can be safely ignored.
2. On the right-hand side, click Create trail:
A multi-step form-wizard will load, beginning with the Choose trail attributes step.
3. In the General details section, enter the following information to complete the form:
- Trail name: JohnDoeTrail
- Storage location: Select Create new S3 bucket
- Trail log bucket and folder: calabs-bucket-unique_number/johndoe (S3 bucket names must be unique, hence you will need to append a number to "calabs-bucket" in order to guarantee a unique bucket name.)
- Log file SSE-KMS encryption: Uncheck this
- Log file validation: Uncheck this
4. Make a note of the name of the Amazon S3 bucket.
You will use this later in the lab when querying with Amazon Athena.
Cloud Academy recommends opening a notes page and using it to store notes for the duration of this lab.
5. At the bottom of the page, click Next.
6. On this page, ensure the only Event type selected is Management events:
All other options on this step should be left at their defaults.
7. At the bottom of the page, click Next.
8. Review the settings and click Create trail at the bottom when ready.
Note: If the S3 bucket entered previously is not unique you will be warned. Append a unique number (calabs-bucket-7 in our example) and then click Create trail again. In some instances (depending on previous UI flows and browser cache) you may see a Turn On button instead of a Create button.
You will see your newly created trail listed in the Trails table:
Your first Trail has been created, along with the S3 bucket it will deliver logs to. The path in S3 to a specific CloudTrail object adheres to the following pattern:
9. Click on the name of your Trail. This opens up a Configuration page for your new Trail:
Don't change anything just yet, but you should notice the following important points:
- Trail logging: This will be green and say Logging, signifying that logging is enabled.
- Last log file delivered: This should get updated very shortly after Trail creation. If you don't see a date/timestamp entry, refresh your browser.
Next, you will examine the contents of the Amazon S3 bucket.
Note: Until you see a date/time stamp for Last log file delivered, you will not see any JSON files in the S3 bucket. Refresh your browser a few times over a 2-3 minute period before going to the next instruction.
10. In the top-left, right-click the aws icon and open a new browser tab.
A new AWS Management Console page will load in the new browser tab.
11. In the new browser tab, in the search bar at the top, enter S3, and under Services, click the S3 result:
12. In the Buckets table, click the name of your bucket:
You will see johndoe/ as a folder within the S3 bucket that was created when you turned on CloudTrail. Using different prefixes is helpful with respect to management if you have many trails.
13. Click johndoe/ and then AWSLogs/, then navigate further down the organizational structure.
14. Click the CloudTrail prefix and then the us-west-2 prefix.
The remaining folder/prefix structure separates trail data by year, month, and day.
15. Continue navigating down the folder/prefix structure until you see one or more compressed JSON files (ending with .json.gz).
It may take a few minutes and browser refreshes before you can navigate further down the structure. Eventually, CloudTrail will transfer log files even with little to no use in the Console. (For example, DescribeTrails and ListBuckets events.) Five minutes is the longest you should have to wait.
16. Look at the name of a JSON log file and notice that the file naming convention includes:
- The Account ID
- The text CloudTrail
- The region
- A date/time stamp
- A unique string (generated by AWS)
- A .json.gz file name extension (JSON file type, compressed via gzip)
17. Select a JSON file by checking the box in the table on the left, and then the Open button:
The log file will open in a new browser tab. The JSON will look similar to:
Even though this is about the shortest JSON record you will see in CloudTrail (some are very long!) it is still difficult to parse. The example above is a DescribeTrails event type.
Next, you will learn a way to view JSON in a more readable and searchable fashion.
18. Open a new browser tab and navigate to JSON Editor Online (there are several software packages, browser plug-ins, and websites available for browsing JSON, this is just one of them that works well and requires no configuration.).
19. From the CloudTrail you opened, select all and copy the JSON (e.g. Control-A then Control-C). And paste the JSON into the left window of the JSON Editor Online.
20. To parse and format the JSON, click both Copy buttons once.
Now you can traverse the JSON in order to better understand the content of the file:
The search field can be very helpful when you know the event you are looking for.
You have turned on and configured CloudTrail so that it can start building a history of AWS API calls and other key events for your account. You have learned about the organization within S3, and navigated the S3 bucket structure used by CloudTrail to deliver its logs to. Sometimes it may be helpful to view CloudTrail log entries directly from S3, so you learned how to view them in your browser. If that is unreadable in its native format, you used a handy website to view and traverse raw JSON files.
Check if the Trail has been created