/
CloudTrail Started/Stopped

CloudTrail Started/Stopped

Owned by Solomon F Prophete
Last updated: Apr 27, 2020 by Former user (Deleted)
5 min read

CloudTrail is an essential feature for any running AWS account, it’s a record of each and every action that occurs. Without it, CUIT Security would not be able to detect any potential harmful situations and would be left completely in the dark about activity in AWS. Steps from Amazon to enable this can be found here:

Creating a Trail in the Console

You can configure your trail for the following:

  • Specify if you want the trail to apply to all regions or a single region.

  • Specify an Amazon S3 bucket to receive log files.

  • For management and data events, specify if you want to log read-only, write-only, or all events.

To create a CloudTrail trail with the AWS Management Console

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Choose the region where you want the trail to be created.

  3. Choose Get Started Now.

    Tip

    If you do not see Get Started Now, choose Trails, and then choose Create trail.

  4. On the Create Trail page, for Trail name, type a name for your trail. For more information, see CloudTrail Trail Naming Requirements.

  5. For Apply trail to all regions, choose Yes to receive log files from all regions. This is the default and recommended setting. If you choose No, the trail logs files only from the region in which you create the trail.

  6. For Management events, for Read/Write events, choose if you want your trail to log AllRead-onlyWrite-only, or None, and then choose Save. By default, trails log all management events. For more information, see Management Events.

  7. For Data events, you can specify logging data events for Amazon S3 buckets, for AWS Lambda functions, or both. By default, trails don't log data events. Additional charges apply for logging data events. For CloudTrail pricing, see AWS CloudTrail Pricing.

    You can select the option to log all S3 buckets and Lambda functions, or you can specify individual buckets or functions.

    For Amazon S3 buckets:

    • Choose the S3 tab.

    • To specify a bucket, choose Add S3 bucket. Type the S3 bucket name and prefix (optional) for which you want to log data events. For each bucket, specify whether you want to log Read events, such as GetObjectWrite events, such as PutObject, or both. For more information, see Data Events.

    • To log data events for all S3 buckets in your AWS account, select Select all S3 buckets in your account. Then choose whether you want to log Read events, such as GetObjectWrite events, such as PutObject, or both. This setting takes precedence over individual settings you configure for individual buckets. For example, if you specify logging Read events for all S3 buckets, and then choose to add a specific bucket for data event logging, Read is already selected for the bucket you added. You cannot clear the selection. You can only configure the option for Write.

      Note

      Selecting the Select all S3 buckets in your account option enables data event logging for all buckets currently in your AWS account and any buckets you create after you finish creating the trail. It also enables logging of data event activity performed by any user or role in your AWS account, even if that activity is performed on a bucket that belongs to another AWS account.

      If the trail applies only to one region, selecting the Select all S3 buckets in your account option enables data event logging for all buckets in the same region as your trail and any buckets you create later in that region. It will not log data events for Amazon S3 buckets in other regions in your AWS account.

    For Lambda functions:

    • Choose the Lambda tab.

    • To specify logging individual functions, select them from the list.

      Note

      If you have more than 15,000 Lambda functions in your account, you cannot view or select all functions in the CloudTrail console when creating a trail. You can still select the option to log all functions, even if they are not displayed. If you want to log data events for specific functions, you can manually add a function if you know its ARN. You can also finish creating the trail in the console, and then use the AWS CLI and the put-event-selectors command to configure data event logging for specific Lambda functions. For more information, see Managing Trails.

    • To log data events for all Lambda functions in your AWS account, select Log all current and future functions. This setting takes precedence over individual settings you configure for individual functions. All functions are logged, even if all functions are not displayed.

      Note

      If you are creating a trail for all regions, this selection enables data event logging for all functions currently in your AWS account, and any Lambda functions you might create in any region after you finish creating the trail. If you are creating a trail for a single region, this selection enables data event logging for all functions currently in that region in your AWS account, and any Lambda functions you might create in that region after you finish creating the trail. It does not enable data event logging for Lambda functions created in other regions.

      Logging data events for all functions also enables logging of data event activity performed by any user or role in your AWS account, even if that activity is performed on a function that belongs to another AWS account.

  8. For Storage location, for Create a new S3 bucket, choose Yes to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies.

    Note

    If you chose No, choose an existing S3 bucket. The bucket policy must grant CloudTrail permission to write to it. For information about manually editing the bucket policy, see Amazon S3 Bucket Policy for CloudTrail.

  9. For S3 bucket, type a name for the bucket you want to designate for log file storage. The name must be globally unique. For more information, see Amazon S3 Bucket Naming Requirements.

  10. To configure advanced settings, see Configuring Advanced Settings for Your Trail. Otherwise, choose Create.

  11. The new trail appears on the Trails page. The Trails page shows the trails in your account from all regions. In about 15 minutes, CloudTrail publishes log files that show the AWS API calls made in your account. You can see the log files in the S3 bucket that you specified.

Note

You can't rename a trail after it has been created. Instead, you can delete the trail and create a new one.

 

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html

Related content

S3 Bucket Changes
S3 Bucket Changes
CUIT CyberSecurity
More like this
VPC Changes
VPC Changes
CUIT CyberSecurity
More like this
Ensure log metric filter and alerts exists for Audit Configuration Changes
Ensure log metric filter and alerts exists for Audit Configuration Changes
CUIT CyberSecurity
More like this
Ensure that logging is enabled for Cloud buckets
Ensure that logging is enabled for Cloud buckets
CUIT CyberSecurity
More like this
Missing Account Owner Information
Missing Account Owner Information
CUIT CyberSecurity
More like this
Malicious Activity Detected - Threat Intel
Malicious Activity Detected - Threat Intel
CUIT CyberSecurity
More like this