We just saw how to validate that our logs haven't been tampered with. We can now take advantage of the service to answer specific questions.
The first way to use the tool is simply to use the web interface at https://console.aws.amazon.com/cloudtrail/:
Of course, for more flexibility, you can use the command-line interface and, in particular, the lookup-events option.
For instance, did a user log in to the console on February 25 between 18:30 and 19:30 UTC?:
$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin
--start-time 2017-02-25T18:30:00Z
--end-time 2017-02-25T19:30:00Z
{
"Events": [
{
"EventId": "3b6a2602-7975-44c0-aa04-2d26e89c11de",
"Username": "Nat",
"EventTime": 1488047426.0,
"CloudTrailEvent": "{[...]}
"EventName": "ConsoleLogin",
"Resources": []
}
]
}
What did that user do around that time?
$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=Nat
--start-time 2017-02-25T18:30:00Z
--end-time 2017-02-25T19:30:00Z
[...]
Which security groups were deleted and by whom?
$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteSecurityGroup
{
"EventId": "bf8e4c26-fbb9-42c3-a44d-162ee4cf7c71",
"Username": "foo",
"EventTime": 1487921631.0,
"CloudTrailEvent": [...]
"EventName": "DeleteSecurityGroup",
"Resources": [
{
"ResourceType": "AWS::EC2::SecurityGroup",
"ResourceName": "sg-2091f65c"
}
]
},
We can run Scout2 again and just ask it to update the state of the CloudTrail service as follows:
$ python Scout2.py --service cloudtrail --update
Once the report is refreshed we can reload the report. This time, everything is green:
In addition to its very valuable forensic capability, CloudTrail can be used more proactively to monitor in almost real-time, any unusual activity.
For that, we will reuse the ElasticSearch and Kibana Domain we created in Chapter 7, Monitoring your infrastructure and services.