CloudTrail Reports

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.

CloudTrail Summary Report

The CloudTrail Summary Report provides high-level statistics about your account activity taken from your CloudTrail Trails.

NOTE: The data in this report only reflects regions where CloudTrail is enabled.

Read More...

Overview

The Overview section shows:

  • Total Trails – the number of Trails you have enabled across your AWS account.
  • Total Events- the number of unique Events within your AWS account.

Events by Region

Events by Region shows:

  • Region – the Region where Trails are being logged.
  • Events – the total number of interactions with your AWS account from that region.

EVENTS BY SERVICE

Events by Service shows:

  • Service – the AWS service that is being interacted with.
  • Events – the total number of interactions with that AWS service.

EVENTS BY TOP USERS

Events by Top Users displays the top 10 IAM users who interact with your AWS account.

  • User – the IAM username
  • Events – the total number of interactions that user had with the AWS account.

Events by IP

Events by IP shows the top 10 events from unique IP addresses associated with your AWS account

  • IP- The unique IP address associated with the event
  • Events- The total number of interactions that IP address had with the AWS account

Events by Resource

Events by Resource shows the top ten events by specific AWS resource associated with your account

  • Resources- Shows the friendly name of the resource who is associated with the AWS activity
  • Events- The total number of interactions that resource had with the AWS account

List of Trails

The CloudTrail Overview Report provides details about your CloudTrail deployment.Capture

Read More...

The following details are provided for each region that has CloudTrail enabled:

  • S3 Bucket Name – the name of the S3 bucket where the Trails are being logged.
  • S3 Key Prefix – the prefix appended to the log files of the Trails.
  • Is Logging – Whether logging is enabled or not.
  • Include Global Service Events – Whether Trails are being recorded from services such as IAM or AWS STS which are not region-specific.  NOTE: If you include global services in multiple regions, you will generate duplicate entries for a single event in the log files.
  • Logging Started – The most recent date and time when CloudTrail started recording API calls for an AWS account.
  • Logging Ended – The most recent date and time when CloudTrail stopped recording API calls for an AWS account.
  • Last Delivery – The date and time that CloudTrail last delivered log files to an account’s Amazon S3 bucket.
  • Last Notification – The date and time of the most recent Amazon SNS notification that CloudTrail has written a new log file to an account’s Amazon S3 bucket.
  • SNS Topic Name – The name of the topic within SNS that CloudTrail notifications are sent through.

Common Searches

The CloudTrail Common Searches report makes it easy to get to the CloudTrail data you need by presenting you with common filter options.

The statistics for this report are collected from the Trails generated from CloudTrail.  CloudTrail must be enabled in your AWS account, and access must be given to CloudCheckr to report on this data.

Read More...

USING THE COMMON SEARCHES REPORT

The report is pre-built with search parameters from the most common use-cases for using CloudTrail within CloudCheckr.

The report offers 4 search options. Choose which search you would like to perform, select your desired date range for your search and click the Search button.

Once you search, you will be directed to the CloudTrail Events report, filtered down to the specific events that matched your search.

SEARCH OPTIONS

The Common Searches report contains the following default searches:

Option 1: Find who started an EC2 Instance

This search allows you to go back in time and identify which IAM user started a specific EC2 instance.

When using this option, CloudCheckr will find any CloudTrail “RunInstance” events, for your selected date range, that match your instance ID.

You can enter a single EC2 instance ID (ex: i-d13ag3a1) into the Instance ID text box to lookup the history for a specific instance.  Alternately, if you leave the text box empty and search, you will be given a list of ALL the “RunInstance” events across all of your EC2 instances.

When you perform this search, the CloudTrail Events report will be grouped by User Name, allowing you to view the user(s) that started your instance(s).

Option 2: Find unauthorized access attempts

This search allows you to find any unauthorized access attempts made against your AWS account(s).

An unauthorized access attempt is any call made against AWS that was failed with: “errorMessage”:”Not authorized…”  This is typically the result of someone trying to access a resource or service they do not have access for.

This Search will return all events that failed with the “Not authorized” error for your selected date range.

When you perform this search, the CloudTrail Events report will be grouped by User Name, filtered to the Error response type, allowing you to view each failed attempt for any user.

Option 3:Find all activity for a specific IAM user

This search will allow you to find all the events for any of your IAM users, for whichever date range you’d like.

The User list is multi-select, meaning you can select one or more of the users within the list to use for your search. Alternatively, if you click the binoculars icon above the list of user names you will be given a pop-up that allows you to search for, and select, whichever user you would like to use for your search.

When you perform this search, the CloudTrail Events report will be grouped by User Name, allowing you to view each event for any user.

Find all activity for a specific IP address

This search allows you to find events that originated from specific IP addresses, during the date range you specify.

The list of IP Addresses is multi-select, meaning you can select one or more of the IPs within the list to use for your search. Alternatively, if you click the binoculars icon above the list of IP Addresses you will be given a pop-up that allows you to search for, and select, whichever IPs you would like to use for your search.

When you perform this search, the CloudTrail Events report will be grouped by IP Address, allowing you to view each event for your IPs.

CloudTrail Events

CloudCheckr’s CloudTrail Events report provides visibility into the interactions with your AWS account using your Trails.

The report allows you to group your data by four different categories, view your interactions by day or hour, and filter your events using multiple categories.

The statistics for this report are collected from the Trails generated from CloudTrail.  CloudTrail must be enabled in your AWS account, and access must be given to CloudCheckr to report on this data.

Read More...

OPTIONS AND FILTERS

By default, when you first load the report, you will be presented with the last two weeks of events, grouped by User Name. Using the many options and filters available in the report, you can change the data to obtain the information you need.

REPORT OPTIONS

Use the Start and End date to display a custom data range.  Just note that you can only view data over time frames where CloudTrail was enabled.

Use the Group By dropdown to choose how to organize and display your events.

You can group by the following items:

  • User Name – the IAM user name of the person who was interacting with your AWS account.
  • Event Type – the type of interaction that occurred.  Examples:  Create Security Group, Terminate Instance, Modify DB Instance.
  • IP Address – the IP Address where the interactions originated from.
  • Service – the AWS Service that was interacted with.  Examples:  EC2, S3, RDS.

The Aggregate dropdown allows you to display the costs by Day or by Hour on the graph.

The Resource ID text box allows you to view the events for a specific resource such as an S3 Bucket, an EC2 instance, a CloudFront distribution, etc.   Currently you can only filter on one resource at a time.

You can also choose to display all events, or just those that were successful or ended with an error.

REPORT FILTERS

Once you’ve chosen the data you want to display, you can use the filters to report on the events you’d like.

You can filter the report by:

  • Region – the AWS Region(s) where the interactions occurred.  NOTE: CloudTrail is currently only available in US East and US West (Oregon).
  • AWS Service – the AWS Service that was interacted with.  Examples:  EC2, S3, RDS.
  • Event Type – the type of interaction that occurred.  Examples:  Create Security Group, Terminate Instance, Modify DB Instance.
  • User – the IAM user name of the person who was interacting with your AWS account.
  • IP –  the IP Address where the interactions originated from.

When using these additional filter options the report will display events for each item selected.  If you chose to filter by US East (North Virginia) region and select only EC2 and S3 for services, the report will only show events that occurred  in EC2 and S3 within that region.

Click the filter button to refresh the report with your selections.

USING THE CLOUDTRAIL EVENTS REPORT

Once you click filter, the report will create a chart showing the event that match your options and filter selections, overlayed on one another for whatever date range was selected.  You can hover your mouse pointer over any point in the graph to get further details.

Beneath the chart you will see the total number of events, grouped by your selection, over your selected time period.

 

The column on the right will be show details based on your Grouping choice.  If you grouped by User, it will list each user.  If you grouped by Service, it will show the AWS Service.  The column on the right is the total number of events that occurred within the selected time frame for that User/Service, etc.

You can then expand on any item by clicking on the green ‘plus’ symbol.  This will show further details about all of the events that occurred.

 

NOTE: Full details are available for all events except “Describe*”, “List*”, and “Get*”.  If you would like to see full details of these read-only events, contact suport@cloudcheckr.com.

When looking at the full details of an event, you’ll see:

  • User – the IAM user name of the person who was interacting with your AWS account.
  • IP Address – the IP Address where the interactions originated from.
  • Event Name – the type of interaction that occurred.  Examples:  Create Security Group, Terminate Instance, Modify DB Instance.
  • Service – the AWS Service that was interacted with.  Examples:  EC2, S3, RDS.
  • Time – the date and time that the event occurred.
  • Region – the AWS Region(s) where the interactions occurred.
  • Resource ID – the resource ID from the event.

Please note: Occasionally you may see a username in the events list which appears as “HIDDEN_DUE_TO_SECURITY_REASONS”. This is caused by failed login attempts, the username of which is hidden as stated for security reasons.

CloudTrail Historical Limit

The statistics for all of CloudCheckr’s CloudTrail reports are collected from the Trails generated from CloudTrail.  CloudTrail must be enabled in your AWS account, and access must be given to CloudCheckr to report on this data.

When you create an account with CloudTrail access within CloudCheckr, by default, it will grab the events from the previous 14 days.  Then, periodically throughout each day it will grab any new events that were written to your AWS account.

If, for any reason, you need to view CloudTrail events from any day prior to those intial 14 days CloudCheckr provides that ability.  Simply enter the number of days in the past (starting with ‘today’) that you would like to retrieve your log files.

Please not that you will only have CloudTrail event data available from the day you first enabled CloudTrail logging within AWS.