7.2

7.2 Provision a CloudTrail log and view the JSON payload

Review and ensure that you have setup your development environment before going through the steps below.

Create a CloudTrail Log

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-7-cloudtrail.yml

Copy the contents from ceoa-7-cloudtrail.yml into your local ceoa-7-cloudtrail.yml file in Cloud9 and save it. This CloudFormation template provisions an S3 Bucket and stores a CloudTrail trail in this Bucket.

From your AWS Cloud9 environment, run the following command:

aws cloudformation create-stack --stack-name ceoa-7-cloudtrail --template-body file:///home/ec2-user/environment/ceoa/ceoa-7-cloudtrail.yml --parameters ParameterKey=OperatorEmail,ParameterValue=YOUREMAILADDRESS@example.com --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Find your Trail in CloudTrail

1. Once the ceoa-7-cloudtrail CloudFormation stack is CREATE_COMPLETE, go to the CloudTrail console.
2. Click the View trails button.
3. Click on the trail beginning with ceoa-7-cloudtrail.
4. Click the S3 bucket in the Storage location section.
5. Make note of the full path of the S3 bucket for the CloudTrail log. For example, mine is ceoa-7-cloudtrail-s3bucket-y5tufh2ytk8y/AWSLogs/ACCOUNTID/.

Create an S3 Bucket for Athena Query Results

1. Go to the S3 console
2. Click the Create bucket button
3. Enter ceoa-7-athena-ACCOUNTID in the Bucket name field. Replace ACCOUNTID with the results of the following command: aws sts get-caller-identity --output text --query 'Account'.
4. Click Next on the Configure Options screen
5. Click Next on the Set Permissions screen
6. Click Create bucket on the Review screen

Search for use of KMS keys using Amazon Athena

1. Go to the Amazon Athena console.
2. Set up a query result location in Amazon S3.
3. Copy and paste the following DDL statement into the Athena console. Modify the s3://CloudTrail_bucket_name/AWSLogs/Account_ID/ to point to the Amazon S3 bucket that contains your logs data.

CREATE EXTERNAL TABLE cloudtrail_logs (
eventversion STRING,
useridentity STRUCT<
               type:STRING,
               principalid:STRING,
               arn:STRING,
               accountid:STRING,
               invokedby:STRING,
               accesskeyid:STRING,
               userName:STRING,
sessioncontext:STRUCT<
attributes:STRUCT<
               mfaauthenticated:STRING,
               creationdate:STRING>,
sessionissuer:STRUCT<  
               type:STRING,
               principalId:STRING,
               arn:STRING, 
               accountId:STRING,
               userName:STRING>>>,
eventtime STRING,
eventsource STRING,
eventname STRING,
awsregion STRING,
sourceipaddress STRING,
useragent STRING,
errorcode STRING,
errormessage STRING,
requestparameters STRING,
responseelements STRING,
additionaleventdata STRING,
requestid STRING,
eventid STRING,
resources ARRAY<STRUCT<
               ARN:STRING,
               accountId:STRING,
               type:STRING>>,
eventtype STRING,
apiversion STRING,
readonly STRING,
recipientaccountid STRING,
serviceeventdetails STRING,
sharedeventid STRING,
vpcendpointid STRING
)
ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION 's3://CloudTrail_bucket_name/AWSLogs/Account_ID/';

4. Configure the Athena settings to point to the S3 bucket you created for Athena.
5. Run the Athena query and view the results.
6. Search for specific KMS key ids.

Additional Resources

• Querying AWS CloudTrail Logs
• Analyzing CloudTrail with Athena