AWS CloudTrail: View Events in Console

You can view events in console using the AWS CloudTrail console which provides you with the ability to check the latest ninety days of API events and activity records in a Region, and download a file having this information or specific data according to filters and chosen time range.

When 90 days pass, they will not be viewed in Event history.

It’s possible to search for and filter events using types of resources of specific services.

Customizing the view of Event history can be easily made through choosing specific columns to get displayed in the console.

Event history cannot simply be deleted by users.

Trails allow you to view events logged to them for an unlimited time while they are stored in a configured S3 bucket.

Keep in Mind:

In order to keep a continuous record of events and activity, you will have to start creating a trail. By doing so, you will benefit from the below integrations:

– Logging Insights events, for the sake of identifying and responding to any unusual activity occurring when performing write management API calls.

– Analyzing service activity using Athena queries.

– Monitoring trail logs with notification of particular activity occurrences using CloudWatch Logs.

Viewing CloudTrail events

1. Login to Management Console then go straight to CloudTrail console using the link https://console.aws.amazon.com/cloudtrail/home/.

2. From navigation pane, select the option Event history.

Your list of events shall appear filtered having the newest event appearing first in the list. In order to check out additional event you will need to continue on scrolling down.

By default, Event history to exclude read-only events. If you don’t want this filter, or in case you’d like to add other filters, you will simply need to alter filter settings.

How to Display CloudTrail Events?

Event history display may be customized through the selection of specific columns that are needed to be displayed in the console.

The below listed columns will be displayed by default:

– Resource type

– User name

– Resource name

– Event time

– Event name

 

Keep in Mind:

You cannot change the order of columns is not capable of being altered nor can users delete events from Event history.

Customizing columns in Event history

1. Login to the Management Console. Go to the CloudTrail console using this link https://console.aws.amazon.com/cloudtrail/home/.
2. In the navigation pane, select Event history.

3. Click on the gear icon.

4. Choose which columns you’d like to display using the Show/Hide Columns. Remove whatever columns you don’t need. After completing you’re check, click on Save.
   

   AWS CloudTrail View Events in Console – Attribute Filters for Event History

How to Filter CloudTrail Events?

The default display of events in Event history uses the Read only attribute filter, which is specified as false, in order not to include the read-only events in your list of displayed events.

It may be removed in order to show read events and write events at the same time.

In case you decide to go for viewing nothing other than read events, simply set the value to become as true.

Different attributes may be used for filtering events along with time range.

Keep in mind:

Just 1 attribute filter + time range filter can be applied.

Multiple attribute filters cannot be applied together.

– Event name

May be filtered on IAM events. For example: EC2 events, like RunInstances, or CreatePolicy.

– AWS access key

Access key ID which signed the request. In case a request was made with temporary security credentials, it will be the access key ID of those temporary credentials.

– Read only

Category of read type for an event. Events can be read or write. In case they are specified as false, there won’t be any read events shown. (such an attribute filter will apply with a value of false.

– Event ID

CloudTrail ID, which is unique for every event.

– Event source

Which service had the request. For example: s3.amazonaws.com or iam.amazonaws.com. It’s possible to check all available event sources upon selecting Event source filter.

– Resource name

Name/id, such as i-1234567 for an Instance, or auto-scaling-test-group for an Auto Scaling group.

– User name

User identity which was referenced by event, such as: IAM role name, service role, or IAM user.

– Resource type

Resource type which was referenced by event, such as a DBInstance for RDS and an Instance for EC2. They are different for every service.

– Time range

For the sake of filtering events (last 90 days).

In case no events were logged according to the attribute or the time you needed to find, then the list would appear as empty.

1 attribute filter may be added other than the time range. In the case that you tend to select another attribute filter, the time range you have set will be preserved.

Check out the below steps to learn the way of filtering by attribute:

Filtering by attribute:

1. Click on Select attribute, and enter or select a value for the Enter lookup value

2. For the sake of removing an attribute filter, click on the “X” which can be shown on the right-side attribute filter box.

Check out the below steps to learn the way of filtering by:

– Start date and time

– End date and time

Filtering by start date and time, and end date and time:

1. Click on Select time range.
   

   AWS CloudTrail View Events in Console – Select Time Range

2. For the sake of removing a time range filter, select the calendar icon which is located right side of Time range box, and select the Remove

creating a trail on AWS CloudTrail

AWS CloudTrail Create Trail

There are a couple of limitations that accompany the view of events that show recent activity through the CloudTrail console and some of which include:

– Can only view according to recent activity

– Not every event which is capable of being recorded through CloudTrail may be viewed

– Limited view of events to the Region of sign in

You will need to create a trail in order to be able to create continuous recordings of activity while having information for every single Region.

It is recommended that the first trail must be one which logs every management event in every single Region, without logging data events.

Management event examples:

– Security events: IAM CreateUser – AttachRolePolicy

– Resource events: RunInstances – CreateBucket

First off, you must go ahead and create an S3 bucket for the sake of storing your log files there for the trail, which will be a way of creating the trail in CloudTrail console.

Important for you to know:

In the following tutorial, you are going to learn how to create your very first trail. According to what number of trails found in your account, and the way they get configured, the upcoming steps may possibly incur some expenses. Also, CloudTrail is going to store your log files in one of your chosen S3 buckets.

1. Login to your Management Console through your configured IAM user for CloudTrail administration. Then, go to the CloudTrail console through the following link https://console.aws.amazon.com/cloudtrail/home/. From Region selector, select the Region where you’d like to create your trail. It’s going to be Home Region for the trail.

Keep in mind:

Home Region: only possible Region for viewing and updating your trail upon its creation, regardless of whether this trail is going to log events in every single Region.

2. From under navigation pane, click on Trails. From Trails page, select the option Get Started Now. In case of not noticing such an option, click on Create Trail.
3. For the section Trail name, type in a name for the trail. It is better to choose a name which lets you directly understand the reason behind the creation of this trail.

4. For Management Events, specify the Read/Write events as All. Do not change the Yes default value, as your Log AWS KMS events

5. For Data Events, don’t change anything, because we don’t need our trail to log data events.

6. As for Storage Location, when you go to the Create a new S3 bucket, click on Yes. Now, when you get to S3 bucket, specify a name for your bucket.

Keep in mind always:

Choose a globally unique S3 bucket name.

7. For the section Tags, supply custom tags to the trail created, for they are capable of aiding you in finding your required CloudTrail trails along with multiple resources, like S3 buckets having CloudTrail log files.

 

Important notes

– It’s possible to add tags to trails created in the CloudTrail console

– It’s possible to create an S3 bucket for storing log files in CloudTrail console

– It’s not possible to add tags to an S3 bucket through CloudTrail console

8. Click on Create.

Viewing Log Files

After fifteen minutes of the creation of 1^st trail, the first set of log files will be delivered to the S3 bucket for this trail. It’s possible to check out these files and find out what data they hold.

1. From navigation pane, click Trails., then from the the Trails page, discover the name of your newly created trail.

Important to know:

Check that you’re signed into your configured IAM user for CloudTrail administration, or you wouldn’t get enough permissions for being able to view trails in CloudTrail console or the S3 bucket which has this trail’s log files.

2. From the row accompanied with this trail, look for the value of S3 bucket, and click on it.
3. At the highest level of log files, this bucket will be opened and shown by the S3 console. Since we have attempted to create a trail which logs events in every Region, the display will get opened at the exact level which lets you view every single Region’s folder. Click on the folder of the Region you intend to get its log files reviewed.
4. Change the bucket folder structure to the following: day, month and year the year, which you wish to get the logs of activity in this Region checked. In the specific day you choose, you will find multiple files whose name begins with the account ID you possess, and then ends with “.gz” as an extension.

Example:

– Account ID: 122223333441

– File names will be as such: 122223333441_CloudTrail_us-west-2_2TutorialsEXAMPLE.json.gz.

For getting those files viewed, start by downloading them, unzipping them, and finally opening them in a JSON file viewer or just a simple text editor. “.gz” or “JSON” files can be viewed directly through specific browsers. It’s better to rely on JSON viewer, because it’s simpler for parsing the data in CloudTrail log files.

Global service events such as IAM and sign-in will get logged in a particular Region. For our example, they will be logged in the Region US West (Oregon), which corresponds to the folder us-west-2. Go all the way to this specific folder, while choosing your required day, month and year. Now as you browse through those log files, you are going to discover “ConsoleLogin” events and they are going to look somewhat like this:

{

“eventVersion”: “1.05”,

“userIdentity”: {

“type”: “IAMUser”,

“principalId”: “AKIAIOSFODNN7EXAMPLE”,

“arn”: “arn:aws:iam::123456789012:user/Ugur_Major”,

“accountId”: “122223333441”,

“userName”: “Ugur_Major”

},

“eventTime”: “2019-06-10T17:14:09Z”,

“eventSource”: “signin.amazonaws.com”,

“eventName”: “ConsoleLogin”,

“awsRegion”: “us-east-1”,

“sourceIPAddress”: “203.0.113.67”,

“userAgent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0”,

“requestParameters”: null,

“responseElements”: {

“ConsoleLogin”: “Success”

},

“additionalEventData”: {

“LoginTo”: “https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true”,

“MobileVersion”: “No”,

“MFAUsed”: “No”

},

“eventID”: “2681fc29-EXAMPLE”,

“eventType”: “AwsConsoleSignIn”,

“recipientAccountId”: “122223333441”

}

In this log file entry you will discover:

– Identity of logged in IAM user (Ugur_Major)

– Date of log in

– Time of log in

– Login success

– IP address of log in

– Operating system

– Browser software

– No use of any multi-factor authentication

Watch AWS CloudTrail tutorial

how to manage events on aws cloud trail

AWS CloudTrail Manage Your Events

Go over the following steps to learn how you can use AWS CloudTrail for managing your Events.

How to View Event Details using AWS CloudTrail?

1. Click on one of the events that are found in the list in order to check its details.
   

   AWS CloudTrail Manage Your Events – Check Event Details

2. In case there are multiple referenced resources for an event, you can find the extra resources found at the end of the details pane.

3. A couple of referenced resources may be accompanied with links. Select this link in order to go to this resource’s console.

4. Click on the button View Event located under the details pane to view your event in a JSON format.
5. Select this event once more so that you can close the details pane.

How to Download Events?

Recorded event history is capable of being downloaded either in CSV or in JSON formats. Use filters and time ranges to reduce the size of the file you download.

Keep in Mind:

Event history files represent data files carrying information, like resource names, capable of being configured.

Part of this data can be:

– Commands in programs such as CSV injection.

This means that events that are imported to a spreadsheet program after getting exported to CSV may warn you about security problems arising.

Important:

Disable such content to ensure that your system will remain secure. Keep on disabling macros and links macros from whatever event history files you choose to download.

Now, carry on reading to learn how to download event history files:

1. Use a specific filter, then add a time range for your required events.

Example: Set your event name as StartInstances, then a particular time range to show the last 2 activity days.

2. Click on the download button and select either Download CSV or Download JSON. Then, you will see that your download will start.

Keep in mind:

It may take some time for your download to finish. To speed things up, prior to downloading, select a particular filter which gets straight to the point of what you need or specify a smaller time range in order to get more accurate results.

3. Upon finishing the download, click on the downloaded file to check out your required events.
4. If you wish to cancel this download, simply click on Cancel download.

How to View Resources Referenced with Config?

Using “Config” you get to record:

– Configuration details

– Relationships

– Changes made to resources

From under Resources Referenced, click on the following symbol found in the Config timeline column in order to check the resource using Config console:

In case its color is grey and looks like this:

This means that Config is off, otherwise not recording this resource type. Click on this symbol in order to open the Config console for enabling this service or for the sake of beginning with recording the chosen resource type.

In case you get a Link not available comment in the column, this will mean that this resource is not capable of being viewed due to 1 of the below-listed causes:

• This resource got created and deleted directly.
• This resource type isn’t supported.
• A different account owns this resource.
• This resource type has lately gotten support without yet becoming available using the CloudTrail console. In this case, it’s possible to search for it using the Config console for the sake of checking its timeline.
• This resource got lately updated or created.
• A different service owns this resource (Exp: managed IAM policy).

 

Let’s take an Example:

1. Config gets configured for the sake of recording IAM resources.
2. IAM user gets created with the name Kit-user. In the Event history page, you can view the CreateUser event and Kit-user for the IAM resource. By clicking on the Config symbol, you will be able to check out this IAM resource using Config timeline.
3. Later on, start updating the user name to become Kit-admin.
4. The event history page is going to display the UpdateUser event while stating Bob-admin to be an updated IAM resource.
5. It’s possible to select the symbol in order to go to the timeline and view the Kit-admin IAM resource. It’s not possible to select the symbol for Kit-user, since this resource has altered its name. Config hence starts to record your updated resource.

 

CloudTrail logs will be recorded as JSON format. They carry information regarding the requests made for your account’s resources, like the following:

– Which user performed this request

– Which services were used

– What actions were performed

– The parameters for each action

The event data is enclosed in a Records array.

The below example illustrates 1 log record of an event having an IAM user named Ugur_gu who called the StartLogging API using the console for the sake of starting a procedure of logging.

{

“eventVersion”: “1.05”,

“userIdentity”: {

“type”: “IAMUser”,

“principalId”: “AIDAJDPLRKLG7UEXAMPLE”,

“arn”: “arn:aws:iam::123456789012:user/Ugur_gu”,

“accountId”: “123456789012”,

“accessKeyId”: “AKIAIOSFODNN7EXAMPLE”,

“userName”: “Ugur_gu”,

“sessionContext”: {

“sessionIssuer”: {},

“webIdFederationData”: {},

“attributes”: {

“mfaAuthenticated”: “false”,

“creationDate”: “2019-06-18T22:28:31Z”

}

},

“invokedBy”: “signin.amazonaws.com”

},

“eventTime”: “2019-06-19T00:18:31Z”,

“eventSource”: “cloudtrail.amazonaws.com”,

“eventName”: “StartLogging”,

“awsRegion”: “us-east-2”,

“sourceIPAddress”: “203.0.113.64”,

“userAgent”: “signin.amazonaws.com”,

“requestParameters”: {

“name”: “arn:aws:cloudtrail:us-east-2:123456789012:trail/My-First-Trail”

},

“responseElements”: null,

“requestID”: “ddf5140f-EXAMPLE”,

“eventID”: “7116c6a1-EXAMPLE”,

“readOnly”: false,

“eventType”: “AwsApiCall”,

“recipientAccountId”: “123456789012”

},

… additional entries …

While this next example illustrates 1 log record where Insights event took place as the Systems Manager API UpdateInstanceAssociationStatus got called a number of unusual times.

2 events are present in an Insights event record:

– 1 event which marks the beginning of this insight, otherwise the beginning of this unusual activity

– 1 other event which marks the end of the insight

Value of eventCategory = Insight.

insightDetails block: It shows the event source, event state, event name, Insights context, Insights type, along with statistics.

{

“Records”: [

{

“eventVersion”: “1.07”,

“eventTime”: “2019-10-17T10:05:00Z”,

“awsRegion”: “us-east-1”,

“eventID”: “aab985f2-3a56-48cc-a8a5-e0af77606f5f”,

“eventType”: “AwsCloudTrailInsight”,

“recipientAccountId”: “123456789012”,

“sharedEventID”: “12edc982-3348-4794-83d3-a3db26525049”,

“insightDetails”: {

“state”: “Start”,

“eventSource”: “ssm.amazonaws.com”,

“eventName”: “UpdateInstanceAssociationStatus”,

“insightType”: “ApiCallRateInsight”,

“insightContext”: {

“statistics”: {

“baseline”: {

“average”: 1.7561507937

},

“insight”: {

“average”: 50.1

}

}

}

},

“eventCategory”: “Insight”

},

{

“eventVersion”: “1.07”,

“eventTime”: “2019-10-17T10:13:00Z”,

“awsRegion”: “us-east-1”,

“eventID”: “ce7b8ac1-3f89-4dae-8d2a-6560e32f591a”,

“eventType”: “AwsCloudTrailInsight”,

“recipientAccountId”: “123456789012”,

“sharedEventID”: “12edc982-3348-4794-83d3-a3db26525049”,

“insightDetails”: {

“state”: “End”,

“eventSource”: “ssm.amazonaws.com”,

“eventName”: “UpdateInstanceAssociationStatus”,

“insightType”: “ApiCallRateInsight”,

“insightContext”: {

“statistics”: {

“baseline”: {

“average”: 1.7561507937

},

“insight”: {

“average”: 50

},

“insightDuration”: 8

}

}

},

“eventCategory”: “Insight”

}

]

}

Watch the tutorial for managing events on AWS CloudTrail