Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Creating Your First Trail
lock
Generating and Viewing Events
lock
Configuring CloudTrail to Log to a CloudWatch Log Group
lock
Configuring a Metric Filter and Alarm for Testing and Troubleshooting
lock
Configuring CloudWatch for EC2 Alarms and Testing with CloudTrail
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

By default, CloudTrail records the last 90 days of events for AWS accounts. However, the default events do not support triggering alerts, event metrics, and long term storage. You need to create a Trail for that. In this Lab Step, you will create your first Trail. When configuring your first Trail, although you can point to an existing S3 bucket and IAM policy for access, it is simpler and generally recommended that you let AWS create them for you during the configuration process. The instructions below will guide you through doing that.

 

Instructions

1. In the AWS Management Console search bar, enter CloudTrail, and click the CloudTrail result under Services:

alt

Warning: If the CloudTrail UI differs from the one you see in this lab, click on the Try out the new console link in the upper section of the CloudTrail console.

The CloudTrail management console will load.

You may see blue warning notifications that say you aren't allowed to create a Cloud Trail for an organization. In this lab, you will create a Cloud Trail for the AWS account, blue warning notifications you see as you fill out the CloudTrail creation form can be safely ignored.

 

2. On the right-hand side, click Create a trail:

alt

By default, the Quick trail create form will load. This is a simplified trail creation workflow for getting up and running quickly. In this lab, you will use the full trail creation workflow.

 

3. In the Trail details form header, click the Create tail link:

alt

A multi-step form-wizard will load, beginning with the Choose trail attributes step.

 

4. In the General details section, enter the following information to complete the form:

  • Trail name: JohnDoeTrail
  • Storage location: Ensure Create new S3 bucket is selected
  • Trail log bucket and folder: calabs-bucket-unique_number/prefix (S3 bucket names must be unique, hence you will need to append a number to "calabs-bucket" in order to guarantee a unique bucket name.)
  • Log file SSE-KMS encryptionUncheck this

alt

 

5. Make a note of the name of the Amazon S3 bucket.

You will use this later in the lab when querying with Amazon Athena.

Cloud Academy recommends opening a draft email and using it to store notes temporarily for the duration of the lab.

 

6. Click Additional settings and uncheck Log file validation.

 

7. At the bottom of the page, click Next.

 

8. On this page, ensure the only Event type selected is Management events:

alt

All other options on this step should be left at their defaults.

 

9. At the bottom of the page, click Next.

 

10. Review the settings and click on Create trail at the bottom when ready.

Note: If the S3 bucket entered previously is not unique you will be warned. Append a unique number (calabs-bucket-7 in our example) and then click Create trail again. In some instances (depending on previous UI flows and browser cache) you may see a Turn On button instead of a Create button.

You will see your newly created trail listed in the Trails table:

alt

Your first Trail has been created, along with the S3 bucket it will deliver logs to. The path in S3 to a specific CloudTrail object adheres to the following pattern:

bucket_name/prefix_name/AWSLogs/Account ID/CloudTrail/region/YYYY/MM/DD/file_name.json.gz

 

11. Click on the name of your Trail. This opens up a Configuration page for your new Trail:

alt

Don't change anything just yet, but you should notice the following important points:

  • Trail logging: This will be green and say Logging, signifying that logging is enabled.
  • Last log file delivered: This should get updated very shortly after Trail creation. If you don't see a date/timestamp entry, refresh your browser.

Next, you will examine the contents of the Amazon S3 bucket.

Note: Until you see a date/time stamp for Last log file delivered, you will not see any JSON files in the S3 bucket. Refresh your browser a few times over a 2-3 minute period before going to the next instruction.

 

12. In the top-left, right-click the aws icon and open a new browser tab.

A new AWS Management Console page will load in the new browser tab.

 

13. In the new browser tab, in the search bar at the top, enter S3, and under Services, click the S3 result:

alt

 

14. In the Buckets table, click the name of your bucket:

alt

You will see johndoe as a folder within the S3 bucket that was created when you turned on CloudTrail. Using different prefixes is helpful with respect to management if you have many trails.

 

15. Click johndoe and then AWSLogs, then navigate further down the organizational structure.

 

16. Click the CloudTrail prefix and then the us-west-2 prefix.

The remaining folder/prefix structure separates trail data by year, month, and day.

 

17. Continue navigating down the folder/prefix structure until you see one or more compressed JSON files (ending with .json.gz).

It may take a few minutes and browser refreshes before you can navigate further down the structure. Eventually, CloudTrail will transfer log files even with little to no use in the Console. (For example, DescribeTrails and ListBuckets events.) Five minutes is the longest you should have to wait.

 

18. Look at the name of a JSON log file and notice that the file naming convention includes:

  • The Account ID
  • The text CloudTrail
  • The region
  • A date/time stamp
  • A unique string (generated by AWS)
  • .json.gz file name extension (JSON file type, compressed via gzip)

 

19. Select a JSON file by checking the box in the table on the left, and then the Open button:

alt

The log file will open in a new browser tab. The JSON will look similar to:

Copy code
{"Records":[{"eventVersion":"1.05","userIdentity":{"type":"Root","principalId":"909421474448","arn":"arn:aws:iam::909421474448:root","accountId":"909421474448","accessKeyId":"ASIAJU6Y7A3P4LWQ6NQQ","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2017-04-05T20:15:57Z"}}},"eventTime":"2017-04-05T21:01:29Z","eventSource":"cloudtrail.amazonaws.com","eventName":"DescribeTrails","awsRegion":"us-west-1","sourceIPAddress":"104.220.54.206","userAgent":"console.amazonaws.com","requestParameters":{"trailNameList":[]},"responseElements":null,"requestID":"0a1664b9-1a43-11e7-a580-ed95dd477fe2","eventID":"c50c3c15-f49b-4380-a995-610c46916be1","eventType":"AwsApiCall","recipientAccountId":"909421474448"}]}

Even though this is about the shortest JSON record you will see in CloudTrail (some are very long!) it is still difficult to parse. The example above is a DescribeTrails event type.

Next, you will learn a way to view JSON in a more readable and searchable fashion.

 

20. Open a new browser tab and navigate to JSON Editor Online (there are several software packages, browser plug-ins, and websites available for browsing JSON, this is just one of them that works well and requires no configuration.).

 

21. From the CloudTrail you opened, select all and copy the JSON (e.g. Control-A then Control-C).  And paste the JSON into the left window of the JSON Editor Online.

 

22. To parse and format the JSON, click both Copy buttons once.

Now you can traverse the JSON in order to better understand the content of the file:

alt

The search field can be very helpful when you know the event you are looking for. 

 

Summary

You have turned on and configured CloudTrail so that it can start building a history of AWS API calls and other key events for your account. You have learned about the organization within S3, and navigated the S3 bucket structure used by CloudTrail to deliver its logs to. Sometimes it may be helpful to view CloudTrail log entries directly from S3, so you learned how to view them in your browser. If that is unreadable in its native format, you used a handy website to view and traverse raw JSON files.

Validation checks
1Checks
Created the CloudTrail Trail

Check if the Trail has been created

AWS CloudTrail

Learning Pathnavigation