Hands-On Lab850 words
Hands-On Lab: Implementing and Analyzing Audit Logs in AWS
Audit Logs
Hands-On Lab: Implementing and Analyzing Audit Logs in AWS
[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges.
Prerequisites
Before starting this lab, ensure you have the following:
- An AWS Account with Administrator access.
- AWS CLI installed and configured with credentials (
aws configure). - Basic knowledge of JSON and the AWS Console.
- IAM Permissions to manage S3, CloudTrail, and CloudWatch Logs.
Learning Objectives
By the end of this lab, you will be able to:
- Create and configure a multi-region AWS CloudTrail trail.
- Enable S3 Data Events for granular tracking of object-level activity.
- Integrate CloudTrail with Amazon CloudWatch Logs for real-time monitoring.
- Analyze audit logs using the CloudTrail Event History and CloudWatch Log Insights.
Architecture Overview
Loading Diagram...
Step-by-Step Instructions
Step 1: Create an S3 Bucket for Log Storage
CloudTrail requires an S3 bucket to store the log files for long-term auditing and compliance.
bash
# Generate a unique bucket name
BUCKET_NAME="brainybee-audit-logs-$(aws sts get-caller-identity --query Account --output text)"
# Create the bucket
aws s3 mb s3://$BUCKET_NAME --region <YOUR_REGION>▶Console alternative
- Navigate to S3 in the AWS Console.
- Click Create bucket.
- Bucket name:
brainybee-audit-logs-<ACCOUNT_ID>. - Keep other settings as default and click Create bucket.
Step 2: Create a CloudWatch Log Group
To enable real-time analysis, we need a destination for CloudTrail events in CloudWatch.
bash
aws logs create-log-group --log-group-name /aws/cloudtrail/audit-log-lab▶Console alternative
- Navigate to CloudWatch > Logs > Log groups.
- Click Create log group.
- Log group name:
/aws/cloudtrail/audit-log-lab. - Click Create.
Step 3: Configure the CloudTrail Trail
Now we will create the trail that captures all management events and routes them to S3 and CloudWatch.
bash
# Create the trail
aws cloudtrail create-trail --name LabAuditTrail --s3-bucket-name $BUCKET_NAME --is-multi-region-trail --cloud-watch-logs-log-group-arn $(aws logs describe-log-groups --log-group-name-prefix /aws/cloudtrail/audit-log-lab --query "logGroups[0].arn" --output text) --cloud-watch-logs-role-arn <YOUR_CLOUDTRAIL_IAM_ROLE_ARN>
# Start logging
aws cloudtrail start-logging --name LabAuditTrail[!NOTE] In the console, AWS automatically creates the IAM role for CloudWatch integration. In the CLI, you must provide a role with permissions to create log streams and put log events.
▶Console alternative
- Navigate to CloudTrail > Trails > Create trail.
- Trail name:
LabAuditTrail. - Storage location: Choose "Use existing S3 bucket" and select the bucket from Step 1.
- CloudWatch Logs: Check "Enabled".
- Log group: Select the group from Step 2.
- IAM Role: Choose "New" and let AWS create the default role.
- Click Next, then Create trail.
Step 4: Generate and View Activity
Perform actions in your account to generate logs (e.g., create an S3 folder or modify a security group).
bash
# Create a dummy object to generate a 'PutObject' event (if data events are enabled)
aws s3 cp hello.txt s3://$BUCKET_NAME/test-activity.txtCheckpoints
- Verify Trail Status: Run
aws cloudtrail get-trail-status --name LabAuditTrail. TheIsLoggingfield should betrue. - Check S3 Delivery: Navigate to your S3 bucket. You should see a folder structure starting with
AWSLogs/. - CloudWatch Logs: Navigate to the Log Group. You should see log streams being populated with JSON entries of your recent API calls.
Troubleshooting
| Problem | Potential Cause | Fix |
|---|---|---|
| No logs in S3 | Bucket Policy | Ensure the S3 bucket policy allows cloudtrail.amazonaws.com to PutObject. |
| Logs not appearing in CloudWatch | IAM Role Permissions | Verify the CloudWatch Logs role has logs:CreateLogStream and logs:PutLogEvents permissions. |
| Delay in logs | Propagation Time | CloudTrail logs can take up to 15 minutes to appear in CloudWatch/S3. |
Clean-Up / Teardown
To avoid charges, delete the resources created in this lab:
bash
# Stop and delete the trail
aws cloudtrail stop-logging --name LabAuditTrail
aws cloudtrail delete-trail --name LabAuditTrail
# Delete the Log Group
aws logs delete-log-group --log-group-name /aws/cloudtrail/audit-log-lab
# Empty and delete the S3 bucket
aws s3 rb s3://$BUCKET_NAME --forceCost Estimate
- CloudTrail: The first management trail in each region is Free. Data events (if enabled) are charged at $0.10 per 100,000 events.
- S3: Standard storage rates apply (negligible for small log files).
- CloudWatch Logs: Ingestion is charged at ~$0.50/GB (depending on region). This lab will likely stay within the Free Tier limits.
Stretch Challenge
Enable S3 Data Events for your specific bucket. Use CloudWatch Logs Insights to write a query that identifies all DeleteObject calls made in the last hour.
Concept Review
| Feature | CloudTrail Event History | CloudTrail Trails |
|---|---|---|
| Retention | 90 Days | Indefinite (based on S3 lifecycle) |
| Scope | Management Events only | Management + Data Events |
| Cost | Free | Paid (per events processed) |
| Multi-region | Single Region view | Can be Multi-Region |
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds