Looking to create a rule to notify on if someone happen to change permissions on an s3 bucket to everyone essentially. Hoping someone has some experience with a similar request and would love to hear what you did.
Configure CloudTrail to send logs to CloudWatch and setup an alarm to get notified when particular API request happened.
Read here how to enable logging to CloudWatch: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html
Read here how to filter particular API requests: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch-alarms-for-cloudtrail-s3-bucket-activity
Related
I am trying to debug a pipeline failing one of its action with an error 403.
I am reaching cloud trail to find more detail about the action, but I can not find the event linked to the request. When I search in cloud trail for the request id, it gives me nothing.
I am in only one region and only one account.
I believe all action are supposed to be log into cloud trail, specially the one with error, am I wrong?
Do I need to configure some service to actually turn on event sent to cloud trail?
Am I missing something?
CloudTrail is not a tool used for troubleshooting. Essentially it's an auditing tool that records changes to resources in your AWS accounts.
What is your pipeline built on? If it's on CodePipeline, you should be able to view the details on the console, and you can configure to send the pipeline logs to CloudWatch. Additionally, CloudTrail should record the API calls made by CodePipeline as well, although it may not be detailed enough to actually troubleshoot an error - https://docs.aws.amazon.com/codepipeline/latest/userguide/monitoring-cloudtrail-logs.html
I'm pretty new to AWS but I did some research about my issue and I couldn't find an answer anywhere so hopefully someone can help me with this.
I would like to be notified on Slack whenever someone logs in with a Root account on any of my AWS accounts. I have set up Cloudtrail at the Organisation level to monitor cloudtrail logs on all my AWS account. I have set up a Cloudwatch alarm to trigger whenever a root account is used, the alarm is then sent to a SNS topic that sends it to a Lambda that triggers a message to Slack.
All of this is working fine. However, the message I receive from SNS is basically the following: The alarm (root_login) has been trigerred
Ideally I would want to receive the Cloudwatch event that shows me more information like the IP Address of the user, the AWS account where it occured, etc...
Basically I would like to receive the Cloudwatch event log to the lambda instead of the Cloudwatch alarm trigger. Is that something that is possible?
Thanks
Yes that is possible. Here are some instructions from the AWS site on the aws-sns-to-slack-publisher. The page contains the steps you need to take to deploy .
Here is an example of publishing a health event to slack.
You will ofcourse need to modify the code to meet your requirements.
I created a custom app that automatically uploads logs to s3.
Is there a way to push those logs to cloudwatch from s3 for analysis and alerting?
I'm aware that I can use a cloudwatch agent to push directly to cloudwatch from the app but there are complications involved in that option.
Thank you!
You could probably use Cloudwatch Events to listen to S3 changes. Not sure about if you can get the data from the S3 file, or just a trigger saying that a new log has been added.
You could also use S3 event notifications (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html) connected either to a lambda or SQS, and from there create the logs to Cloudwatch. (similar to what was suggested by #marcin)
A better solution, but one that is a bit beyond the scope of the question, would be to send your logs through Kinesis Firehose and from there add the Cloudwatch and S3 logs.
I'm not aware of any out-of-the-box mechanism for that provided by AWS. But I think it could be relatively easy to develop.
Namely, you can create S3 notification for a PUT of a new log file from your app to S3. The event would trigger a lambda function. The function would get the file and using AWS SDK, e.g. boto3's put_log_events, it would send the log events to CloudWatch logs.
I have a DynamoDB application and it seems to be running well and using normal throughput generally. However once in a while it seems to spike pretty high (latest kicked up over 300, normal is around 10-20 max). I've looked through the code and I'm having a bit of trouble figuring out what it is that is causing these spikes. Is there any type of history of the calls in DynamoDB that could tell me what exactly were the calls that caused the spiking?
You can enable the cloudtrail logs for the dynamoDB.It will deliver these log files to S3 bucket. Taken directly from the AWS Docs :-
DynamoDB is integrated with CloudTrail, a service that captures
low-level API requests made by or on behalf of DynamoDB in your AWS
account and delivers the log files to an Amazon S3 bucket that you
specify. CloudTrail captures calls made from the DynamoDB console or
from the DynamoDB low-level API. Using the information collected by
CloudTrail, you can determine what request was made to DynamoDB, the
source IP address from which the request was made, who made the
request, when it was made, and so on. To learn more about CloudTrail,
including how to configure and enable it, see the AWS CloudTrail User
Guide.
Please follow the aws dynamoDB cloudtrail logging to enable it.
I have an AWS account that use multiple devs and teams [dev/qa/mobile].
I would like to be notified when any change takes place in my AWS account.
For example a dev launches a new instance , or a new open port is added in a security group etc and he forgets to announce it to me or the rest of the team.
I want to be fully informed for these changes in order to apply specific architecture and/or security and people tend to mess with them.
Is there any dashboard or service inside AWS that I can customise it?
Someone suggested that I should take a look in CloudTrail.
Has anyone done something like this?
The easiest way to go is to use cloudtrail with cloudwatch logs. In AWS FAQ:
Q:What are the benefits of CloudTrail integration with CloudWatch Logs?
This integration enables you to receive SNS notifications of API activity captured by CloudTrail. For example, you can create CloudWatch alarms to monitor API calls that create, modify and delete Security Groups and Network ACL’s. For examples, go to the examples section of the user guide.
Based on SNS, you can then send email through SES
I think the easier way is to use Amazon Cloudtrail service.
Cloudtrail logs any API call which is made on your AWS account. Every operation done on AWS is and API call (including instances operations as you have requested)
Here you can find more information about it
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-cloudtrail-to-send-notifications.html
I hope this helps somehow.
You can find logs of your AWS account in S3,
Find below path in S3:
s3://security-logging/AWS_/AWSLogs/AWS Account no./CloudTrail/your region/year
You can also integrate CloudTrail with SQS to send notifications.