Skip to content

7.2

Jump to bottom
Paul Duvall edited this page Jan 24, 2020 · 33 revisions

7.2 Provision a CloudTrail log and view the JSON payload

Review and ensure that you have setup your development environment before going through the steps below.

Solution Architecture

Create a CloudTrail Log

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-7-cloudtrail.yml

Copy the contents from ceoa-7-cloudtrail.yml into your local ceoa-7-cloudtrail.yml file in Cloud9 and save it. This CloudFormation template provisions an S3 Bucket and stores a CloudTrail trail in this Bucket.

From your AWS Cloud9 environment, run the following command:

aws cloudformation create-stack --stack-name ceoa-7-cloudtrail --template-body file:///home/ec2-user/environment/ceoa/ceoa-7-cloudtrail.yml --parameters ParameterKey=OperatorEmail,ParameterValue=YOUREMAILADDRESS@example.com --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Find your Trail in CloudTrail

  1. Once the ceoa-7-cloudtrail CloudFormation stack is CREATE_COMPLETE, go to the CloudTrail console.
  2. Click the View trails button.
  3. Click on the trail beginning with ceoa-7-cloudtrail.
  4. Click the S3 bucket in the Storage location section.
  5. Make note of the full path of the S3 bucket for the CloudTrail log. For example, mine is ceoa-7-cloudtrail-s3bucket-y5tufh2ytk8y/AWSLogs/ACCOUNTID/.

Search for use of KMS keys using AWS CloudTrail and Amazon Athena

  1. Go to the Amazon CloudTrail console.
  2. Click on the Event history.
  3. Click on the Filter drop down and select Event name.
  4. Enter for a KMS-related action such as GenerateDataKey in the value.
  5. Click on the View event button. Search for
  6. Download the Event History in CloudTrail console.
  7. Format the JSON (e.g. in Sublime, and using Pretty JSON, it is Cmd + Ctrl + J).
  8. Go to the Amazon CloudTrail console and click on the Run advanced queries in Amazon Athena link to get the command to generate the query to create a table in Athena.
  9. Go to the Amazon Athena console.
  10. Create a table to store your query: CREATE DATABASE cloudtrail_kms;
  11. Select the cloudtrail_kms database in Athena
  12. Start a new query
  13. Click on the ellipsis to create a query (replace KMS-KEY-ID with the KMS key id you are searching):
FROM cloudtrail_kms
WHERE requestparameters  LIKE '%KMS-KEY-ID%'
LIMIT 50;
  1. Search for specific KMS key ids.
  2. Go to the KMS Console.
  3. Select the key.
  4. Click the Key actions button and click Disable.
  5. Select the key.
  6. Click the Key actions button and click Schedule key deletion.
  7. Enter 7 in the Waiting period (in days) field.
  8. Click the Schedule deletion button.

Automation for the People

  • Automate with a Lambda function.

Additional Resources

Clone this wiki locally