7.2
Review and ensure that you have setup your development environment before going through the steps below.
mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-7-cloudtrail.yml
Copy the contents from ceoa-7-cloudtrail.yml into your local ceoa-7-cloudtrail.yml file in Cloud9 and save it. This CloudFormation template provisions an S3 Bucket and stores a CloudTrail trail in this Bucket.
From your AWS Cloud9 environment, run the following command:
aws cloudformation create-stack --stack-name ceoa-7-cloudtrail --template-body file:///home/ec2-user/environment/ceoa/ceoa-7-cloudtrail.yml --parameters ParameterKey=OperatorEmail,ParameterValue=YOUREMAILADDRESS@example.com --capabilities CAPABILITY_NAMED_IAM --disable-rollback
- Once the ceoa-7-cloudtrail CloudFormation stack is CREATE_COMPLETE, go to the CloudTrail console.
- Click the View trails button.
- Click on the trail beginning with ceoa-7-cloudtrail.
- Click the S3 bucket in the Storage location section.
- Make note of the full path of the S3 bucket for the CloudTrail log. For example, mine is
ceoa-7-cloudtrail-s3bucket-y5tufh2ytk8y/AWSLogs/ACCOUNTID/.
- Go to the Amazon CloudTrail console.
- Click on the Event history.
- Click on the Event name.
- GenerateDataKey.
- Click on the Event.
- Download the Event History in CloudTrail console.
- Format the JSON (e.g. in Sublime, and using Pretty JSON, it is
Cmd+Ctrl+J). - Go to the Amazon CloudTrail console and click on the Run advanced queries in Amazon Athena link to get the command to generate the query to create a table in Athena.
- Go to the Amazon Athena console.
- Create a table to store your query:
CREATE DATABASE cloudtrail_kms; -
Select the
cloudtrail_kmsdatabase in Athena - Start a new query
- Click on the ellipsis to create a query (replace
KMS-KEY-IDwith the KMS key id you are searching):
FROM cloudtrail_kms
WHERE requestparameters LIKE '%KMS-KEY-ID%'
LIMIT 50;
- Search for specific KMS key ids.
- Disable the key.
- Schedule key deletion.
- Automate wit a Lambda function.