Today Amazon Web Services announced the CloudTrail service, which adds the ability to trace all activity made through AWS APIs, whether done through the console, command line tools or programmatically. This service answers the most essential questions for security and compliance: Who took this action? When did the action take place? What action was taken? Where was this action performed? How was this action performed? Those of us in the security community who have had a historical concern about lack of visibility into the cloud services now have a reference point for what we can and should expect—CloudTrail is the richest and most complete service for activity auditing to date. As of yesterday, Alert Logic provides support for CloudTrail, giving you the ability to collect data, perform analytics and visualize trends. CloudTrail enables a number of operational use cases, described in a great blog post by Jeff Barr on the AWS Blog, but the capabilities we find most interesting revolve around security and compliance. This will be a focus in a series of blog posts on auditing and monitoring AWS enabled by the new CloudTrail service. CloudTrail collection as a service – no appliances required Amazon has made enabling CloudTrail fairly simple, whether you’re using the command line or the AWS console. Once enabled, you will begin receiving SQS notifications using S3 as a collection point. In practice, reliable collection over time, multiple regions may be a challenge. Rather than maintain a set of collection appliances aimed at S3 buckets, our CloudTrail collection runs as a service.
The only information the collection service needs is:
- 1. SQS queue name
- 2. Region where the queue is located
- 3. AWS account key with rights to read from SQS and S3
Once set up, this service takes care of most of the tasks necessary for reliable collection over time—tracking the position of the last log file downloaded from S3 and handling gzip extraction. The service is deployed in multiple data center locations and ensures that collection continues uninterrupted. Making sense of CloudTrail data Once collected and uncompressed, CloudTrail events are available as JSON data with each event represented as an object. While this is great for providing structure and context, it’s not the easiest way to scan events at a glance or analyze in large volume.
The CloudTrail service uses inherent abilities of Log Manager to parse data, provide search abilities and quickly aggregate, sort and pivot the data we extract from logs. In practice, this means that JSON objects can be turned into lists and tables of sortable events, as well as represent the CloudTrail logs in an expanded format that shows the full detail of each event.
Turning CloudTrail events into actionable information Because the CloudTrail service is an integral part of Log Manager, turning log data collected from AWS APIs into alerts or visualizations is just as simple as all the typical log data collected from AWS instances and applications.
Look for more details about specific use cases you can enable with CloudTrail soon. If you’d like to see a demo and get CloudTrail service enabled, please click here.