Setup

The US-EAST-1 AWS Region must be used with Event Engine

Create a Trail in CloudTrail

AWS CloudTrail is an AWS service that helps you enable governance, compliance, risk auditing and operational auditing of your AWS Account. Actions taken by a Principal (User, Role or AWS Service) are recorded as events in CloudTrail. To learn more about AWS CloudTrail you can click on this link. Documentation on creating a Trail via the Console is located here. We will highlight the steps below.

  1. Search for the CloudTrail Service under the Management Tools Section in the console and click on CloudTrail.

    Get to CloudTrail Console

  2. Starting the week of August 10, 2020, the new CloudTrail console becomes the default experience. You’ll still be able to switch back to the old console. However, we are going to use the new CloudTrail Console in this workshop.

    New Console Experience

  3. Once in the CloudTrail Console, click on Trails on the Left Side of the screen.

  4. Then Click on Create Trail, to create our trail for this lab.

    Create Trail

  5. Apply the following settings and create the trail

    • Trail name: management-tools-week
    • Storage Location: Create new S3 Bucket
    • Trail log bucket and folder: Leave as it is *aws-cloudtrail-logs-accountid-hash*
    • Log file SSE-KMS encryption: Disabled (please uncheck the box)
    • Log file validation: Enabled
    • SNS notification delivery: Leave as it is (Disabled)
    • CloudWatch Logs: Enabled
    • Log group: New
    • Log group name: Enter CloudTrail/DefaultLogGroup
    • IAM Role: New
    • Role name: Enter CloudTrailRoleForCloudWatchLogs
    • Click Next
    • Event type: Configure both Management events and Data events
    • Management Events: Read, Write, Exclude AWS KMS Events (all checked)
    • Data event:
      • S3 (leave as it is)
      • Click “Add data event type” to configure Lambda Data Events and leave as it is (All regions, All functions)
    • Click Next and Create trail

We now have a trail capturing activity in our AWS Account. Later on, we will search through our trail.

In this section, we will use the pre-defined CloudFormation template to create a set of CloudWatch Alarms to monitor for security and network related activity.

  1. Launch the following CloudFormation template.

    Launch CFN stack

  2. On the Create stack page, we will click Next.

    Create Stack

  3. In the Specify stack details page, we will specify a valid e-mail address and the LogGroupName we used in step 5 of the previous section. Click Next.

    CFN specify LogGroupName

  4. On the next page, leave the default options and click Next.

  5. When you see the Create stack button, click on it.

The CloudFormation template will create various resources, including CloudWatch Alarms and an SNS Topic with a Subscription. After the CloudFormation template deployment is complete, you will receive an SNS Subscription notification. When you receive, confirm the subscription.

SNS Subscription confirmation