One of the best features of using CloudTrail is that you can easily integrate it with other AWS services for an enhanced security auditing and governance experience. One such service that we are going to use and explore here with CloudTrail is Amazon CloudWatch.
Using CloudWatch, you can easily set up custom metric filters and an array of alarms that can send notifications to the right set of people in case a specific security or governance issue occurs in your AWS environment. To get started with CloudWatch using CloudTrail, you will first need to configure your Trail to send the captured log events to CloudWatch Logs. This can be easily configured using both the AWS Management Console and the AWS CLI. Next, once this is done, you will be required to define custom CloudWatch metric filters to evaluate the log events for specific matches. Once a match is made, you can then additionally configure CloudWatch to trigger corresponding alarms, send notifications, and even perform a remediation action based on the type of alarm generated.
Here is a diagrammatic representation of CloudTrail's integration with CloudWatch:
In this section, we will be using the AWS CLI to integrate the Trail's logs with Amazon CloudWatch Logs:
- First, we will need to create a new CloudWatch Log Group using the following command:
# aws logs create-log-group --log-group-name useast-prod-CloudTrail-LG-01
- Next, you will need to extract and maintain the newly created Log Group's ARN for the forthcoming steps. To do so, type in the following command and make a note of the Log Group's ARN, as shown here:
# aws logs describe-log-groups
- With the Log Group successfully created, we will now need to create a new IAM Role that will essentially enable CloudTrail to send its logs over to the CloudWatch Log Group. To do so, we first need to create a policy document that assigns the AssumeRole permission to our CloudTrail Trail. Create a new file and paste the following contents into that file. Remember to to create the file with a .json extension:
# vi policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- With the file created, use the create-role command to create the role with the required permissions for CloudTrail:
# aws iam create-role --role-name useast-prod-CloudTrail-Role-01 --assume-role-policy-document file://policy.json
- Once this command executed, make a note of the newly created role's ARN. Next, copy and paste the following role policy document into a new file. This policy document grants CloudTrail the necessary permissions to create a CloudWatch Logs log stream in the Log Group that you created a while back, so as to deliver the CloudTrail events to that particular log stream:
# vi permissions.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudTrailCreateLogStream",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
"<YOUR_LOG_GROUP_ARN>"
]
},
{
"Sid": "CloudTrailPutLogEventsToCloudWatch",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"<YOUR_LOG_GROUP_ARN>"
]
}
]
}
- Next, run the following command to apply the permissions to the role. Remember to provide the name of the policy that we created during the earlier steps here:
# aws iam put-role-policy --role-name useast-prod-CloudTrail-Role-01 --policy-name cloudtrail-policy --policy-document file://permissions.json
- The final step is to update the Trail with the Log Group ARN as well as the CloudWatch Logs role ARN, using the following command snippet:
# aws cloudtrail update-trail --name useast-prod-CloudTrail-01 --cloud-watch-logs-log-group-arn <YOUR_LOG_GROUP_ARN> --cloud-watch-logs-role-arn <YOUR_ROLE_ARN>
With this you have now integrated your CloudTrail Logs to seamlessly flow into the CloudWatch Log Group that we created. You can verify this by viewing the Log Groups provided under the CloudWatch Logs section of your CloudWatch dashboard.
In the next section, we will be leveraging this newly created Log Group and assign a custom metric as well as an alarm for monitoring and alerting purposes.