Breaking News: Grepper is joining You.com. Read the official announcement!
Check it out

CloudTrail

Pragya Keshap answered on February 21, 2023 Popularity 1/10 Helpfulness 1/10

Contents


More Related Answers

  • Cloudant
  • cloud.

  • CloudTrail

    0

    It is a global services supporting ALL regions that records and tracks for auditing purposes ( logs are by default retained for 90 days) ) all AWS API requests made

    programmatically by a user with SDK

    from AWS CLI

    within AWS Console

    by other AWS services

    A CloudTrail Trail captures API requests and stores them as events in a log file ( in JSON format, within 15 mins ) on S3.

    Events contain information about

    caller

    timestamp

    source IP

    CloudTrail is very useful for security to monitor restricted API calls and be notified of threshold breaches , as well for solving operational issues ( debugging and root cause analysis).

    Even though there is a specific service to monitor and keep track of changes in your infrastructure ( AppConfig ), CloudTrail logs can be used as evidence for various compliance and governance controls.

    Types of captured events:

    Management events: also called control plane operations normally refers to management operation performed on resources in your account ( like configuring security with IAM, creatingVPC or Subnets and setting up logging)

    Data events: aka data plane operations provide information about the resource operations performed in or on a resource ( like accessing S3 Object, invoking Lambdas, editing items on DynamoDB)

    Insights events: capture unusual API call rate or error rate activity [since additional charges are applied, insights events are disabled by default]

    AWS offers the ability to aggregate CloudTrail logs from multiple accounts into a single S3 bucket. This is achieved by - activating CloudTrail on the account owning the Bucket

    creating a Bucket policy with a permission for each AWS Account we want to aggregate logs for

    activating CloudTrail on the other accounts pointing to the right S3.

    This is useful solution, but generally you don't want aws accounts writing logs to a bucket on another account, to be able to see log information from other accounts ( which are logging in the same bucket) therefore the best approach is - in the primary account :

    to create an IAM Role for each account requiring Read Access

    to assign a Policy to that roles to allow access only to their logs

    to let users assume that Role, by setting Trusted Relationship

    by creating on the secondary accounts a new Policy that allows to Assume the CloudTrailReadLogs Role.  

    Popularity 1/10 Helpfulness 1/10 Language whatever
    Source: Grepper
    Tags: whatever
    Link to this answer
    Share Copy Link
    Contributed on Feb 21 2023
    Pragya Keshap
    0 Answers  Avg Quality 2/10

    Closely Related Answers



    0

    Audits what is created or modified in terms of AWS infrastructure.

    Popularity 1/10 Helpfulness 1/10 Language whatever
    Source: Grepper
    Tags: whatever
    Link to this answer
    Share Copy Link
    Contributed on May 18 2023
    Sumit Rawal
    0 Answers  Avg Quality 2/10


    X

    Continue with Google

    By continuing, I agree that I have read and agree to Greppers's Terms of Service and Privacy Policy.
    X
    Grepper Account Login Required

    Oops, You will need to install Grepper and log-in to perform this action.