AWS CloudTrail Manage Your Events
Go over the following steps to learn how you can use AWS CloudTrail for managing your Events.
How to View Event Details using AWS CloudTrail?
- Click on one of the events that are found in the list in order to check its details.
AWS CloudTrail Manage Your Events – Check Event Details
- In case there are multiple referenced resources for an event, you can find the extra resources found at the end of the details pane.
AWS CloudTrail Manage Your Events – Check Event Referenced Resources
- A couple of referenced resources may be accompanied with links. Select this link in order to go to this resource’s console.
AWS CloudTrail Manage Your Events – Check Event Link
- Click on the button View Event located under the details pane to view your event in a JSON format.
- Select this event once more so that you can close the details pane.
How to Download Events?
Recorded event history is capable of being downloaded either in CSV or in JSON formats. Use filters and time ranges to reduce the size of the file you download.
Keep in Mind:
Event history files represent data files carrying information, like resource names, capable of being configured.
Part of this data can be:
– Commands in programs such as CSV injection.
This means that events that are imported to a spreadsheet program after getting exported to CSV may warn you about security problems arising.
Important:
Disable such content to ensure that your system will remain secure. Keep on disabling macros and links macros from whatever event history files you choose to download.
Now, carry on reading to learn how to download event history files:
- Use a specific filter, then add a time range for your required events.
Example: Set your event name as StartInstances, then a particular time range to show the last 2 activity days.
AWS CloudTrail Manage Your Events – Use Event Filter
- Click on the download button and select either Download CSV or Download JSON. Then, you will see that your download will start.
AWS CloudTrail Manage Your Events – Download Event Button
AWS CloudTrail Manage Your Events – Download Events
Keep in mind:
It may take some time for your download to finish. To speed things up, prior to downloading, select a particular filter which gets straight to the point of what you need or specify a smaller time range in order to get more accurate results.
- Upon finishing the download, click on the downloaded file to check out your required events.
- If you wish to cancel this download, simply click on Cancel download.
How to View Resources Referenced with Config?
Using “Config” you get to record:
– Configuration details
– Relationships
– Changes made to resources
AWS CloudTrail Manage Your Events – Check Event Resources Referenced Config Timeline
From under Resources Referenced, click on the following symbol found in the Config timeline column in order to check the resource using Config console:
In case its color is grey and looks like this:
This means that Config is off, otherwise not recording this resource type. Click on this symbol in order to open the Config console for enabling this service or for the sake of beginning with recording the chosen resource type.
In case you get a Link not available comment in the column, this will mean that this resource is not capable of being viewed due to 1 of the below-listed causes:
- This resource got created and deleted directly.
- This resource type isn’t supported.
- A different account owns this resource.
- This resource type has lately gotten support without yet becoming available using the CloudTrail console. In this case, it’s possible to search for it using the Config console for the sake of checking its timeline.
- This resource got lately updated or created.
- A different service owns this resource (Exp: managed IAM policy).
Let’s take an Example:
- Config gets configured for the sake of recording IAM resources.
- IAM user gets created with the name Kit-user. In the Event history page, you can view the CreateUser event and Kit-user for the IAM resource. By clicking on the Config symbol, you will be able to check out this IAM resource using Config timeline.
- Later on, start updating the user name to become Kit-admin.
- The event history page is going to display the UpdateUser event while stating Bob-admin to be an updated IAM resource.
- It’s possible to select the symbol in order to go to the timeline and view the Kit-admin IAM resource. It’s not possible to select the symbol for Kit-user, since this resource has altered its name. Config hence starts to record your updated resource.
CloudTrail logs will be recorded as JSON format. They carry information regarding the requests made for your account’s resources, like the following:
– Which user performed this request
– Which services were used
– What actions were performed
– The parameters for each action
The event data is enclosed in a Records array.
The below example illustrates 1 log record of an event having an IAM user named Ugur_gu who called the StartLogging API using the console for the sake of starting a procedure of logging.
{
“eventVersion”: “1.05”,
“userIdentity”: {
“type”: “IAMUser”,
“principalId”: “AIDAJDPLRKLG7UEXAMPLE”,
“arn”: “arn:aws:iam::123456789012:user/Ugur_gu”,
“accountId”: “123456789012”,
“accessKeyId”: “AKIAIOSFODNN7EXAMPLE”,
“userName”: “Ugur_gu”,
“sessionContext”: {
“sessionIssuer”: {},
“webIdFederationData”: {},
“attributes”: {
“mfaAuthenticated”: “false”,
“creationDate”: “2019-06-18T22:28:31Z”
}
},
“invokedBy”: “signin.amazonaws.com”
},
“eventTime”: “2019-06-19T00:18:31Z”,
“eventSource”: “cloudtrail.amazonaws.com”,
“eventName”: “StartLogging”,
“awsRegion”: “us-east-2”,
“sourceIPAddress”: “203.0.113.64”,
“userAgent”: “signin.amazonaws.com”,
“requestParameters”: {
“name”: “arn:aws:cloudtrail:us-east-2:123456789012:trail/My-First-Trail”
},
“responseElements”: null,
“requestID”: “ddf5140f-EXAMPLE”,
“eventID”: “7116c6a1-EXAMPLE”,
“readOnly”: false,
“eventType”: “AwsApiCall”,
“recipientAccountId”: “123456789012”
},
… additional entries …
While this next example illustrates 1 log record where Insights event took place as the Systems Manager API UpdateInstanceAssociationStatus got called a number of unusual times.
2 events are present in an Insights event record:
– 1 event which marks the beginning of this insight, otherwise the beginning of this unusual activity
– 1 other event which marks the end of the insight
Value of eventCategory = Insight.
insightDetails block: It shows the event source, event state, event name, Insights context, Insights type, along with statistics.
{
“Records”: [
{
“eventVersion”: “1.07”,
“eventTime”: “2019-10-17T10:05:00Z”,
“awsRegion”: “us-east-1”,
“eventID”: “aab985f2-3a56-48cc-a8a5-e0af77606f5f”,
“eventType”: “AwsCloudTrailInsight”,
“recipientAccountId”: “123456789012”,
“sharedEventID”: “12edc982-3348-4794-83d3-a3db26525049”,
“insightDetails”: {
“state”: “Start”,
“eventSource”: “ssm.amazonaws.com”,
“eventName”: “UpdateInstanceAssociationStatus”,
“insightType”: “ApiCallRateInsight”,
“insightContext”: {
“statistics”: {
“baseline”: {
“average”: 1.7561507937
},
“insight”: {
“average”: 50.1
}
}
}
},
“eventCategory”: “Insight”
},
{
“eventVersion”: “1.07”,
“eventTime”: “2019-10-17T10:13:00Z”,
“awsRegion”: “us-east-1”,
“eventID”: “ce7b8ac1-3f89-4dae-8d2a-6560e32f591a”,
“eventType”: “AwsCloudTrailInsight”,
“recipientAccountId”: “123456789012”,
“sharedEventID”: “12edc982-3348-4794-83d3-a3db26525049”,
“insightDetails”: {
“state”: “End”,
“eventSource”: “ssm.amazonaws.com”,
“eventName”: “UpdateInstanceAssociationStatus”,
“insightType”: “ApiCallRateInsight”,
“insightContext”: {
“statistics”: {
“baseline”: {
“average”: 1.7561507937
},
“insight”: {
“average”: 50
},
“insightDuration”: 8
}
}
},
“eventCategory”: “Insight”
}
]
}