Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

CloudTrail Logs

  1. Home
  3. AWS Certified DevOps Engineer Professional
  5. CloudTrail Logs

Advanced tasks with CloudTrail log files

  • Create multiple trails per region.
  • Monitor CloudTrail log files by sending them to CloudWatch Logs.
  • Share log files between accounts.
  • Use the AWS CloudTrail Processing Library to write log processing applications in Java.
  • Validate your log files to verify that they have not changed after delivery by CloudTrail.

To receive CloudTrail log files from multiple regions

  • Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
  • Choose Trails, and then choose a trail name.
  • Click the pencil icon next to Apply trail to all regions, and then choose Yes.
  • Choose Save. The original trail is now replicated across all regions. CloudTrail delivers log files from all regions to the specified S3 bucket.

Validating CloudTrail Log File Integrity

  • Use CloudTrail log file integrity validation.
  • The feature using SHA-256 for hashing and SHA-256 with RSA for digital signing.
  • Thus making CloudTrail log files without detection, computationally infeasible to
    • Modify
    • delete
    • forge
  • Use CLI to validate files
  • With log file integrity validation, CloudTrail creates hash for every log file
  • Every hour, CloudTrail also creates a file (called a digest file) that references log files for last hour and has hash of each.
  • Each digest file is signed using private key of a public and private key pair.
  • After delivery, use public key to validate the digest file.
  • CloudTrail uses different key pairs for each AWS region.
  • The digest files are delivered to S3 bucket associated with trail as CloudTrail log files.
  • The digest files are put into a folder separate from the log files.
  • Each digest file also contains the digital signature of the previous digest file if one exists.
  • The signature for current digest file is in the metadata properties of digest file S3 object.

Sharing CloudTrail Log Files Between AWS Accounts

The steps are

  • Create an IAM role for each account that you want to share log files with.
  • For each of these IAM roles, create an access policy that grants read-only access to the account you want to share the log files with.

CloudTrail Processing Library

  • A Java library to process AWS CloudTrail logs
  • Details about CloudTrail SQS queue and code to process events, is to be provided
  • CloudTrail Processing Library will
    • polls SQS queue
    • reads and parses queue messages
    • downloads CloudTrail log files
    • parses events in the log files
    • passes events to code as Java objects.
  • It is scalable and fault-tolerant.
  • Handles parallel processing of log files
  • Manages network failures like network timeouts or inaccessible resources.
Menu