What is CloudTrail?
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.
With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Tracking this information in Logentries allows you to set up queries, tags, alerts, and dashboards for your CloudTrail data.
1. Enable CloudTrail
Login into your AWS account and enable CloudTrail if you haven’t already. When enabling CloudTrail, please be sure to create a SNS Topic.
2. Create a SQS Queue
Click on SQS in your AWS Console and create a new queue.
3. Add Permissions to the SQS Queue
When adding permissions to the SQS queue, you need to add your full account number/name. In the Identity & Access Management (IAM) area, select the user that you want to utilize and click Summary. Copy the value for User ARN, as you’ll need it when adding permissions to your SQS queue. Note: When creating a new IAM user, make sure that the user has at least Read Only access to your AWS environment. If the appropriate permissions are not applied Logentries will not be able to receive CloudTrail logs.
Paste the User ARN for the relevant IAM user in the Principal field. Next, apply Receive, Send, and Delete permissions to your SQS queue:
4. Subscribe the SQS queue to the SNS Topic created in Step 1.
The SQS queue must now be subscribed to the SNS Topic created when you enabled CloudTrail. You can do this by navigating to the SQS area of your AWS account, selecting the SQS queue created in Step 2 and using the Queue Action drop down menu, and then selecting Subscribe Queue to SNS Topic as shown below:
5. Repeat this process for multiple CloudTrail setups for different regions.
When enabling CloudTrail in multiple regions, the process is similar. Publish CloudTrail to the same bucket created in step 1 above. Then subscribe to the SNS topic from the SQS queue. Be sure to turn off “Global Services” when enabling CloudTrail in subsequent regions.
6. Obtain the Queue URL
Obtain the queue URL for Logentries configuration and maintain it for safe keeping. The queue URL is available by clicking on the SQS Queue name and copying the URL from the Details at the bottom.
To follow your CloudTrail information, login to your Logentries account and click the Accounts icon:
From your Accounts page, click on the AWS tab and you’ll be presented with the following:
Access Key: This is the access key of the IAM user that you created for AWS Integration with Logentries.
Secret Key: The secret key of the IAM user that you created for AWS Integration.
Enable Cloudwatch: Check this box to enable CloudWatch. Detailed setup information can be obtained on our CloudWatch documentation page.
Enable Cloudtrail: Check this box to enable CloudTrail.
Cloudtrail SQS URL: This is the URL that was copied in step 5 above.
Please note that the CloudTrail information will be brought into your Logentries account every 5 minutes. This integration will create a new log set in your Logentries account titled AWS and a new log titled CloudTrail.
Getting insights from your CloudTrail logsLogentries offers Community Packs which provide pre-configured alerts, queries, tags, and dashboards for a variety of solutions and services, including CloudTrail. To get started, simply download the CloudTrail Community Pack and follow the installation instructions.
TroubleshootingIf you aren’t receiving CloudTrail logs within 15 minutes of setting up the CloudTrail integration in Logentries, check the below to ensure your account is configured properly.
Insufficient SQS queue permissionsIf sufficient queue permissions have not been granted to the IAM user you created for Logentries integration, your CloudTrail logs will not appear in your Logentries account. You can check whether the proper SQS permissions have been applied to your IAM user by following the steps below:
- Log in to your AWS account.
- From the AWS dashboard, click SQS.
- Click on the queue you’ve created for Logentries integration.
- Click the Permission tab.
Insufficient IAM permissionsThe IAM user you created for integration with Logentries requires Read Only access to your AWS environment. To confirm that your IAM user has the correct permissions:
- From the AWS dashboard, click Identity & Access Management.
- Under IAM Resources, click Users.
- Click the IAM user created for Logentries Integration.
- Click Show Policy next to the policy you have applied