Skip to content

7.2

Jump to bottom
Paul Duvall edited this page Nov 14, 2019 · 33 revisions

7.2 Provision a CloudTrail log and view the JSON payload

Review and ensure that you have setup your development environment before going through the steps below.

Create a CloudTrail Log

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-7-cloudtrail.yml

Copy the contents below into the file and save it.

---
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  OperatorEmail:
    Description: Email address to notify when new logs are published.
    Type: String
Resources:
  S3Bucket:
    DeletionPolicy: Retain
    Type: AWS::S3::Bucket
    Properties: {}
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: S3Bucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: AWSCloudTrailAclCheck
          Effect: Allow
          Principal:
            Service: cloudtrail.amazonaws.com
          Action: s3:GetBucketAcl
          Resource:
            Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: S3Bucket
        - Sid: AWSCloudTrailWrite
          Effect: Allow
          Principal:
            Service: cloudtrail.amazonaws.com
          Action: s3:PutObject
          Resource:
            Fn::Join:
            - ''
            - - 'arn:aws:s3:::'
              - Ref: S3Bucket
              - "/AWSLogs/"
              - Ref: AWS::AccountId
              - "/*"
          Condition:
            StringEquals:
              s3:x-amz-acl: bucket-owner-full-control
  Topic:
    Type: AWS::SNS::Topic
    Properties:
      Subscription:
      - Endpoint:
          Ref: OperatorEmail
        Protocol: email
  TopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      Topics:
      - Ref: Topic
      PolicyDocument:
        Version: '2008-10-17'
        Statement:
        - Sid: AWSCloudTrailSNSPolicy
          Effect: Allow
          Principal:
            Service: cloudtrail.amazonaws.com
          Resource: "*"
          Action: SNS:Publish
  myTrail:
    DependsOn:
    - BucketPolicy
    - TopicPolicy
    Type: AWS::CloudTrail::Trail
    Properties:
      S3BucketName:
        Ref: S3Bucket
      SnsTopicName:
        Fn::GetAtt:
        - Topic
        - TopicName
      IsLogging: true
      IsMultiRegionTrail: false

From your AWS Cloud9 environment, run the following command:

aws cloudformation create-stack --stack-name ceoa-7-cloudtrail --template-body file:///home/ec2-user/environment/ceoa/ceoa-7-cloudtrail.yml --parameters ParameterKey=OperatorEmail,ParameterValue=YOUREMAILADDRESS@example.com --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Find your Trail in CloudTrail

  1. Once the ceoa-7-cloudtrail CloudFormation stack is CREATE_COMPLETE, go to the CloudTrail console.
  2. Click the View trails button.
  3. Click on the trail beginning with ceoa-7-cloudtrail.
  4. Click the S3 bucket in the Storage location section.
  5. Make note of the full path of the S3 bucket for the CloudTrail log. For example, mine is ceoa-7-cloudtrail-s3bucket-y5tufh2ytk8y/AWSLogs/ACCOUNTID/.

Search for use of KMS keys using Amazon Athena

  1. Go to the Amazon Athena console.
  2. Copy and paste the following DDL statement into the Athena console. Modify the s3://CloudTrail_bucket_name/AWSLogs/Account_ID/ to point to the Amazon S3 bucket that contains your logs data.
CREATE EXTERNAL TABLE cloudtrail_logs (
eventversion STRING,
useridentity STRUCT<
               type:STRING,
               principalid:STRING,
               arn:STRING,
               accountid:STRING,
               invokedby:STRING,
               accesskeyid:STRING,
               userName:STRING,
sessioncontext:STRUCT<
attributes:STRUCT<
               mfaauthenticated:STRING,
               creationdate:STRING>,
sessionissuer:STRUCT<  
               type:STRING,
               principalId:STRING,
               arn:STRING, 
               accountId:STRING,
               userName:STRING>>>,
eventtime STRING,
eventsource STRING,
eventname STRING,
awsregion STRING,
sourceipaddress STRING,
useragent STRING,
errorcode STRING,
errormessage STRING,
requestparameters STRING,
responseelements STRING,
additionaleventdata STRING,
requestid STRING,
eventid STRING,
resources ARRAY<STRUCT<
               ARN:STRING,
               accountId:STRING,
               type:STRING>>,
eventtype STRING,
apiversion STRING,
readonly STRING,
recipientaccountid STRING,
serviceeventdetails STRING,
sharedeventid STRING,
vpcendpointid STRING
)
ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION 's3://CloudTrail_bucket_name/AWSLogs/Account_ID/';

Additional Resources

Clone this wiki locally