Customers using AWS resources such as EC2 instances, EC2 Security Groups and RDS instances would like to track changes made to such resources and who made those changes. In this session, customers will learn about gaining visibility into user activity in their account and aggregating logs across multiple accounts into a single bucket. Customers will also learn about how they can use the user activity logs to meet the logging guidelines/requirements of different compliance standards. AWS Advanced Technology Partners Splunk/Sumologic (exact partners TBD) will demonstrate applications for analyzing user activity within an AWS account.

1. Turn on AWS CloudTrail:
Gain visibility into API activity in your account
Sivakanth Mundru
November 14, 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

2. Agenda
• AWS customer feedback
• Introducing AWS CloudTrail
• Demo: Turn on CloudTrail
• Information in a recorded API call & Partner Demos
• Advanced Features
• Q&A

3. You asked us to
• Record which users in your account made changes to your
AWS resources such as EC2 instances, EC2 and VPC security
groups, and more.
• Create an archive of all user activity to meet your internal and
external compliance standards.
• Add the ability to view all user activity, i.e., API calls executed.

4. Introducing AWS CloudTrail
You are
making API
calls...
Image Source: AWS
On a growing
set of
services
around the
world..
CloudTrail is
continuously
recording API
calls…
And
delivering log
files to you…

5. Use Cases Enabled by CloudTrail
• Security Analysis
 Use log files as an input into log management and analysis solutions to perform security
analysis and to detect user behavior patterns.
• Track Changes to AWS Resources
 Track creation, modification, and deletion of AWS resources such as Amazon EC2
instances, Amazon VPC security groups, and Amazon EBS volumes.
• Troubleshoot Operational Issues
 Quickly identify the most recent changes made to resources in your environment.
• Compliance Aid
 Easier to demonstrate compliance with internal policies and regulatory standards.

6. What is AWS CloudTrail?
• CloudTrail records API calls in your
account and delivers a log file to your S3
bucket.
• Typically, delivers an event within 15
minutes of the API call.
• Log files are delivered approximately
every 5 minutes.
• Multiple partners offer integrated
solutions to analyze log files.
Image Source: Jeff Barr

7. AWS Services Supported by CloudTrail
• Currently, records API calls made to these AWS services.
Amazon EC2
Amazon Redshift
AWS IAM
Amazon EBS
Amazon VPC
AWS STS
Amazon RDS
AWS CloudTrail
(Security Token Service)
• Includes API calls made by higher-level AWS services such as AWS
CloudFormation, AWS Elastic Beanstalk, and AWS OpsWorks

8. What is NOT recorded?
• State transitions of AWS resources
Example: An EC2 instance transitioning from pending to a running
state.
• Allowed or denied traffic information for VPC security groups and
ACL’s.
• Successful and failed AWS Management Console sign-in events.

9. AWS CloudTrail Regional Availability
• Available in us-east (Northern Virginia) and us-west (Oregon) regions
today.
• You turn on CloudTrail on a per region basis.
• Events for global services will be delivered in both regions.
Image Source: Internet

10. Partner CloudTrail Solutions

11. Information in a recorded API call (JSON format)
• Who made the API call?
• When was the API call made?
• What was the API call?
• What were the resources that were acted up on in the API call?
• Where was the API call made from?

12. Who made the API call?
• Records detailed information for all AWS identity types




Root user
IAM user
Federated user
Role
• Information includes






Friendly user name
AWS AccessKeyId
12 digit AWS account number
Amazon Resource Name (ARN)
Session context and issuer information, if applicable
invokedBy section identifies the AWS service making request on behalf of the user

13. Who? Example 1: IAM user Bob making an API call
"userIdentity": {
"accessKeyId": "AKEXAMPLE123EJVA",
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:user/Bob",
"principalId": "AIEXAMPLE987ZKLALD3HS",
"type": "IAMUser",
"userName": "Bob"
}
Anonymized data

14. Who? Example 2: Federated user Alice making an API call
"userIdentity":{
"type":"FederatedUser",
"principalId":"123456789012:Alice",
"arn":"arn:aws:sts::123456789012:federated-user/Alice",
"accountId":"123456789012",
"accessKeyId":"ASEXAMPLE1234WTROX8F",
"sessionIssuer":{
"type":"IAMUser",
"accountId":"123456789012",
"userName": "Bob"
}
}
Anonymized data; Partial Output

15. Who? Example 3: AWS service calling on behalf of a user
• Elastic Beanstalk creating AWS resources on behalf of IAM user Bob
"userIdentity": {
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:user/Bob",
"invokedBy":"elasticbeanstalk.amazonaws.com",
"principalId": "ASEXAMPLE123XWTROX8F ",
"type": "IAMUser",
"userName": "Bob"
}
Anonymized data

16. When was the API call made?
• Time and date of the event in ISO 8601 format
• Unambiguous and well-defined method of representing date and
time
• AWS services sync all system clocks with centralized Network
Time Protocol (NTP) servers
"eventTime": "2013-10-23T23:30:42Z"

17. What was the API call?
What resources were acted up on?
• API call and the service the API call belongs to
"eventName": "RunInstances"
"eventSource": "EC2"
• Request parameters provided by the requester and Response
elements returned by the AWS service
• Response elements for read-only API calls (Describe*, Get*,
List*) are not recorded to prevent event size inflation

18. Where was the API call made from?
• Apparent IP address of the requester making the API call.
• Records the apparent IP address of the requester when making
API calls from AWS Management Console.
• AWS region to which the API call was made. Global services
(Examples: IAM/STS) will be recorded as us-east-1.
"sourceIPAddress": "54.234.127.135",
"awsRegion": "us-east-1",

19. Errors and Authorization Failures
• Detailed and Descriptive error codes and error messages, recorded
only when errors occur.
Examples
 Client error code: TagLimitExceeded
 Server error code: Internal Error
 Authorization failure: UnauthorizedOperation
• Authorization Failure Example
"eventName": "TerminateInstances",
"errorCode": "UnauthorizedOperation",
"errorMessage": "You are not authorized to perform this
operation"

20. Regulatory standards aided by AWS CloudTrail
•
Helps you meet the logging requirements specified in
PCI Data Security Standard V1 (PCI DSS V1)
FedRAMP: US government program for federal agencies
International Organization for Standardization (ISO) 27001
standard
Service Organization for Controls 2 (SOC2)
•
For more details, Please refer to "Security at Scale: Logging in AWS"
whitepaper on AWS compliance website.
Image Source: AWS Compliance Website

21. SNS Notifications for log file delivery
• Optionally, CloudTrail will publish SNS notification of each new log
file.
• Notifications contain the address of the log file delivered to your
S3 bucket and allow you to take immediate action.
• Does not require you to continuously poll S3 to check whether
new log files were delivered
• Multiple subscribers can subscribe to the same SNS topic and
retrieve the log files for analysis.

22. Descriptive S3 folder structure and detailed log file name
• Default descriptive folder structure makes it easier to store log files
from multiple accounts and regions in the same S3 bucket.
• Detailed log file name helps identify the contents of the log file,
regardless of where they are stored.
• Unique identifier in the file name prevents overwriting log files.

23. Aggregate logs from multiple regions into one S3 bucket
• Create a bucket in the first region where you turn on CloudTrail.
• Specify the same bucket as the destination in the second region.
• CloudTrail will deliver logs from multiple regions to the same
bucket.

24. Aggregate log files from multiple accounts into one S3 bucket
1. Turn on CloudTrail for 111111111111
Services
supported by
CloudTrail
3. Turn on CloudTrail for 222222222222
Services
supported by
CloudTrail
Account 222222222222
4. Turn on CloudTrail for 333333333333
Bucket “foo” in account
111111111111
Services
supported by
CloudTrail
2. Update “foo” bucket policy
“arn:aws:s3:::foo/KBJInc/AWSLogs/222222222222/*”,
“arn:aws:s3:::foo/KBJInc/AWSLogs/333333333333/*”
Account 333333333333

25. How much does AWS CloudTrail cost?
• There are no charges for turning on CloudTrail for your account.
• Standard S3 and SNS charges will apply as per your usage.

26. Want to learn more about CloudTrail and Partners?
• Come meet the CloudTrail team (Deployment and
Management Booth) and partners
Partner
Booth
Relevant Session
2nd Watch
#715
Nov 13, 3:00pm, Titian 2306: DMG209 - Enterprise Management for the AWS
AlertLogic
#314
Nov 14, 4:15pm, Veronese 2504: SEC308 - Auto Scaling Web Application Security in AWS
Boundary
#1020
Cognizant
#500
Datapipe
#713
Foghorn
#530
Loggly
#821
Smartronix
#809
Splunk
#925
Stackdriver
#315
Nov 14, 3:00pm, Veronese 2504: ARC210- DevOps Nirvana:Seven Steps to a Peaceful Life on AWS
Sumologic
#117
Nov 13, 3:00pm, San Polo 3501 A: BDT401 - Using AWS to Build a Scalable Big Machine Data Management
and Processing Service
Nov 14, 4:15 pm, Titian 2306: ENT222 - Enterprise Transformation through Cognizant’s XaaS fabric on AWS
Nov 15, 1:30pm, Delfino 4003: ARC303 - Unmeltable Infrastructure at Scale: Using Apache Kafka, Twitter
Storm, and Elastic Search on AWS

27. Thank you and Q&A

28. We are sincerely eager to hear
your feedback on this
presentation and on re:Invent.
SEC207
Please fill out an evaluation form
when you have a chance.