C1 – Basic CloudTrail Setup

As mentioned in a prior post, We will begin the task of creating a BASIC monitoring system for AWS events.

Our first task is the setup of CloudTrail; I shall do this in two ways. From the AWS Console and via a Terraform script.

MAKE NOTE, from my post on O.P.C.,” If you can not read the code, do not use it; if you can not explain the code, do not use it.” This goes threefold for code found on this site.

CloudTrail and CloudWatch from the Console:

Step 1: Sign into the AWS Console, and search for CloudTrail.

Step 2: From the CloudTrail dashboard select Create trail.

Step 3a: Set Basic CloudTrail attributes. (Part 1)

To recap the options and decisions made here, it is to be noted that with the latest version of the AWS console, cloudtrails are now global by default.

  • We set a descriptive name for our cloudtrail.
  • I chose to create a new S3 bucket to house our data.
    • Do note, s3 bucket names are global and unique; make sure your s3 bucket name is unique in the world.
    • Note s3 bucket naming conventions, lower case, limited punctuation.
  • We will encrypt the log data in our bucket.
  • We wish that data delivered be validated.

Step 3b: Set Basic CloudTrail attributes. (Part 2)

Continuing with the setup of the CloudTrail, some additional options are to be configured:

  • We will enabled CloudWatch logs as a new log group
  • Set a descriptive name for the log group
  • Create a new IAM role for our Cloudtrail to Cloudwatch function
  • And as always add descriptive tags to our object

Step 3c: Set Events Selector. (Part 1)

We will begin to select the event types to be logged. As a rule, I will select ALL data options and filter out log noise in my alarm specifications. One can always filter out data collected; we can not go back in time and capture old data.

  • We will select All log events, Management (console), Data, and insights.
  • All read / write data is of interest, and do include KMS events

Step 3c: Set Events Selector. (Part 2)

In data event sources, we will select all current and future S3 buckets, read and write, and all lambda functions in all regions.

Step 3d: Review Configuration and create the trail

Selecting Create trail will create the trail with the options configured and start logging.

The Cloudtrail dashboard will then display a status screen for the new trail.

As is logging to an S3 bucket, it behooves us to review the bucket’s security settings.

By accessing the S3 dashboard we find that our S3 bucket and the objects contained therein are not public.

This completes the basic setup of cloudtrail and the creation of a cloudwatch log group.

In a separate missive, I shall use a terraform script to create the same infrastructure.

For our next missive(s), we will examine how to create Cloudwatch event rules and Cloudwatch metrics to trigger notifications of anomalous events.