Setting up AWS Cloudtrail

ByKenneth Attard

December 18, 2021
  1. In the AWS Console search bar, enter Cloudtrail and open the Cloudtrail service

2. The next step is to click Create a trail

3. By default the quick trail create option is selected which limits the option you choose from. The only option is to specify the Trail name and click Create trail.

Once created the trail is created, it can be modified by clicking the Name

4. Click edit in the general details to start modifying the options

5. If needed the S3 bucket can be changed but in this case, it is not necessary, it is extremely important to both enable SSE-KMS encryption and the Log file validation to determine whether the logs were tampered with.

The SNS notification delivery triggers a notification once a log is received which can be a bit chatty so not recommended to enable it

6. For the Log file SSE-KMS-encryption click Enable and choose whether to use a new key or not. Enter a new KMS key alias. In our case will use cloudtrail

7. Click Enabled in the log file validation and then click save changes

8. The next step is to enable CloudWatch logs by clicking on the edit button (if needed)

9. Click enabled

10. Once enabled choose the CloudWatch log group (Either use existing or create a new one) and repeat the same for the IAM role and click save changes

11. If needed, enter Tags by clicking Manage Tags and entering the required tags

12. The next step is to modify the management events by clicking Edit

Ensure that Read and Write API activities are selected and no excluded options are ticked and click save changes

13. By default, Cloudtrail doesn’t log data events and if needed can be enabled by clicking Edit in the data events section

and select add data event type

In this case, S3 is selected

For the S3 the option available are as follows:

Once ready from the options needed click Save Changes

14. By default, trails do not log Insights events. CloudTrail Insights helps you identify and respond to unusual activity associated with write API calls. If this option is needed click edit in the insight section

15. Click Insight events and choose the insight types required and then click save changes

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.