Open in app

Sign in

Write

Sign in

Amazon Activity Logs

Shantanu Oak
3 min readOct 25, 2019

Enable Amazon activity logging if you need answers to the questions like…

1) Who logged in to the AWS account using root or IAM user, at what time or from which IP address?
2) Which files were uploaded or downloaded? When and from which IP address?
3) What config changes were made to your AWS account and by whom?
4) Are there any failed attempts to upload /download S3 files? Is a hacker trying to access the account or an ex-employee who may still have unexpired credentials?
5) Which resources were used? For e.g. how many spot EC2 instances were initiated by users and what was the config?

Here are 4 easy steps to enable logging in your AWS account.

1) Start by clicking on this button…

Click on this button to enable audit logs

2) Click on “Next” button on Select Template page.

3) Provide a stack name, for e.g. trainingtrail
Note: Do not use special characters or UpperCase letters.

4) Click on “Next” button on Options page. Click on “Create” button on Review page after checking “I acknowledge”.

Running the script was easy. You just clicked on “Next” button a couple of times. The only point to remember is that do not use special characters or upper case for stack name. A simple name like ‘audit’ or ‘logging’ will be good enough!

Here is a chart showing how the resources are initiated by running this script and how they are connected to each other.

audit trail resources

Since there are a lot of resources getting generated, this may take some time. After around 10 minutes, check the “outputs” tab where you will get the Kibana link. Copy - paste that link and send it to me by email.

You will be charged by Amazon for cloudtrail logs and one Elastic-search Instance. This is a small price to pay for logs those may be very useful in many use-cases.

Note: Kibana dashboard can be accessed only from my IP address (18.209.195.135 / 18.210.57.140). No one else can read your logs and therefore you data is secure (assuming you trust me). You can change the white-listed IP addresses later once the ELK stack is up and running.

Once the logs are pushed to elastic, we can generate reports. You can download the json file from…

https://datameetgeobk.s3.amazonaws.com/cftemplates/export_se.json

Goto Kibana — Management — Saved Objects — Import and provide the path of the file that you downloaded from the above link. This will import 5 searches and the names are self-explanatory.

uploads
downloads
errors
activity_log
consoleLogin

Here is a powerpoint presentation to explain the insights provided by those reports:

https://datameetgeobk.s3.amazonaws.com/cftemplates/aws.pptx

AWS
Aws Cloudformation
Cloudtrail

--

--

Shantanu Oak

Written by Shantanu Oak

26 Followers

Database Consultant

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams