Decoding Logs in the Cloud: AWS CloudTrail

As the digital world continues its move to the cloud, logs are crucial for monitoring, troubleshooting, and securing cloud infrastructure. This blog series, "Decoding Logs in the Cloud," will look into various log types across major cloud providers. We will explore their formats, purposes, and practical examples. In this first installment, we'll focus on AWS CloudTrail logs.

What is AWS CloudTrail?

AWS cloud trail logs

AWS CloudTrail is a service that enables governance, compliance, and operational and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

AWS CloudTrail Event History Logs

Importance of AWS CloudTrail Logs

CloudTrail logs are essential for:

• Security Monitoring: Detecting unauthorized access and potential security threats.
• Compliance: Ensuring adherence to regulatory requirements by maintaining detailed logs.
• Troubleshooting: Investigating and resolving operational issues by analyzing historical data.
• Resource Tracking: Monitoring changes to AWS resources to maintain a clear audit trail.

Structure of AWS CloudTrail Logs

AWS CloudTrail logs are JSON-formatted records that provide detailed information about API calls made in your AWS account. Here is a breakdown of the key components of a CloudTrail log entry:

• eventVersion: The version of the log format.
• userIdentity: Information about the user or service that made the API call.
• eventTime: The time when the API call occurred.
• eventSource: The AWS service that the request was made to.
• eventName: The name of the API operation that was invoked.
• awsRegion: The region in which the event occurred.
• sourceIPAddress: The IP address from which the request was made.
• userAgent: The agent through which the request was made (e.g., AWS Management Console, AWS SDK).
• requestParameters: The parameters that were sent with the request.
• responseElements: The response elements returned by the AWS service.
• requestID: A unique identifier for the request.
• eventID: A unique identifier for the event.
• readOnly: Indicates whether the request was read-only.
• resources: The resources that were affected by the request.
• additionalEventData: Additional information about the event.

Example of an AWS CloudTrail Log Entry

Here is an example of a JSON CloudTrail log entry for reference:

{

  "eventVersion": "1.08",

  "userIdentity": {

    "type": "IAMUser",

    "principalId": "EXAMPLE",

    "arn": "arn:aws:iam::123456789012:user/Alice",

    "accountId": "123456789012",

    "accessKeyId": "EXAMPLEKEY",

    "userName": "Alice"

  },

  "eventTime": "2023-07-21T19:23:45Z",

  "eventSource": "ec2.amazonaws.com",

  "eventName": "RunInstances",

  "awsRegion": "us-west-2",

  "sourceIPAddress": "203.0.113.0",

  "userAgent": "aws-cli/2.0.0 Python/3.7.3 Linux/5.4.0-1029-aws botocore/2.0.0",

  "requestParameters": {

    "instances": [

      {

        "instanceType": "t2.micro",

        "imageId": "ami-0abcdef1234567890"

      }

    ]

  },

  "responseElements": {

    "instancesSet": [

      {

        "instanceId": "i-0abcdef1234567890"

      }

    ]

  },

  "requestID": "EXAMPLEREQUESTID",

  "eventID": "EXAMPLEEVENTID",

  "readOnly": false,

  "resources": [

    {

      "ARN": "arn:aws:ec2:us-west-2:123456789012:instance/i-0abcdef1234567890",

      "accountId": "123456789012"

    }

  ],

  "additionalEventData": {

    "sampleKey": "sampleValue"

  }

}

The Cado Platform

Cado Security empowers security teams to get to the bottom of what happened faster. With Cado, what used to take analysts days, now takes minutes. Automate data collection. Process data at cloud speed. Analyze with purpose. No confusion, no complexity.

Collect From Anywhere: whether it's a multi-cloud, container-based, serverless, SaaS, or on-premises set up. Automatically capture hundreds of data sources across cloud-provider logs, disk, memory, and more. No agent required means zero impact to production systems.

Cloud Native: Cado deploys natively within your cloud environment to ensure your unique data privacy requirements are met. You choose: deploy in AWS, GovCloud, Azure, or GCP in minutes, decreasing time to investigation and eliminating egress costs.

Powerful Analytics: Collected data is enriched using third-party and proprietary threat intelligence. Key incident details such as root cause, compromised roles and assets, and a complete timeline of events are automatically surfaced. 

Understanding AWS CloudTrail logs is crucial for managing and securing your AWS environment. These logs provide a comprehensive view of activities within your account, helping you to maintain security, ensure compliance, and troubleshoot effectively. In the next blog of this series, we'll explore another type of cloud log and continue our series on decoding logs in the cloud.