Koti Vellanki's B(V)logs

Day 18: Monitoring and Auditing with AWS CloudTrail and Config

Koti Vellanki's photo
Koti Vellanki
·

6 min read

Welcome to Day 18 of our exciting "30 Days of AWS" journey! If you've been following along from the beginning, kudos to you for diving into the world of Amazon Web Services. Your dedication and curiosity are truly commendable.

For those who might have just joined us or are specifically interested in today's topic, a warm welcome to you as well! While each article in this series delves into a different facet of AWS, rest assured that they are all interconnected, building upon the knowledge we've been cultivating day by day.

If you're here for the first time, I encourage you to take a moment to catch up on our previous discussions. This will enhance your understanding and ensure a seamless flow as we dive deeper into the fascinating journey of AWS together.

In today’s installment, we will explore "Monitoring and Auditing with AWS CloudTrail and Config." Knowing who did what, when, and where in your AWS environment is crucial for security and compliance. AWS provides two powerful services, CloudTrail and Config, to help you monitor changes, maintain compliance, and troubleshoot issues.

As always, feel free to engage, ask questions, and share your thoughts in the comments. Your participation is what makes this series vibrant and valuable. I’m thrilled to have you join us on this journey. Let’s get started!

What is AWS CloudTrail?

Let’s start with a technical definition:

AWS CloudTrail is a service that enables you to record, monitor, and log every action taken within your AWS environment. Whether it’s creating an S3 bucket, launching an EC2 instance, or changing IAM permissions, CloudTrail captures every event and stores it as a log file.

To put it in a simple way:

Imagine AWS CloudTrail as a CCTV camera for your AWS account. It records every move—who entered, what they did, and when they did it. This footage (log file) is stored securely so that if something unexpected happens, you can always go back and see who made what changes.

Why Use AWS CloudTrail?

  1. Security Monitoring:
    Track every API call to understand who accessed what and whether the action was authorized.

  2. Compliance:
    CloudTrail logs help ensure that your organization adheres to compliance standards by keeping a detailed history of all user activity.

  3. Troubleshooting:
    When things go wrong, CloudTrail logs can help pinpoint the exact cause by showing what changes were made right before the issue occurred.

Example Use Case

Suppose you notice that an S3 bucket suddenly has public access enabled (which is a security risk). With CloudTrail, you can look back at the logs and see who made this change, when they made it, and from where.

What is AWS Config?

Here’s the technical definition:

AWS Config is a service that helps you monitor, evaluate, and audit the configurations of your AWS resources. It continuously records the state of your resources (like EC2, RDS, or S3), and if any changes are made, it notifies you. Config can also check if your resources comply with specified rules (like ensuring all S3 buckets are encrypted).

To put it in a simple way:

Think of AWS Config as a security guard with a notepad. The guard doesn’t just watch who’s coming and going but also takes note of the current state of everything in the building. If a door that’s supposed to be locked is suddenly open, the guard notifies you immediately.

Why Use AWS Config?

  1. Configuration Management:
    Keep track of your resources' configurations and maintain a complete inventory.

  2. Compliance Checks:
    Define rules (e.g., “All EC2 instances must have encryption enabled”), and Config will continuously monitor your environment for compliance.

  3. Change Management:
    If a configuration changes (like an EC2 instance being modified), AWS Config will record and notify you, allowing you to review and approve or revert the changes.

Example Use Case

Imagine you have a policy that says, “All RDS databases must be encrypted.” With AWS Config, you can create a compliance rule that checks every database and notifies you if any are not encrypted.

CloudTrail vs. Config: What’s the Difference?

While both services are designed to monitor your AWS environment, they serve different purposes:

  1. AWS CloudTrail is focused on tracking activity—who did what and when. It logs every action and API call.

  2. AWS Config is focused on tracking resource state—what your resources look like and whether their configuration is compliant.

Summary of Differences

FeatureAWS CloudTrailAWS Config
PurposeRecord and track all API activityTrack resource configurations and compliance
RecordsEvery action (API call) made by usersCurrent and historical state of resources
Use CasesSecurity monitoring, auditing, troubleshootingCompliance, change management, configuration review
Example“Who changed the S3 bucket policy?”“Is this S3 bucket encrypted?”

Setting Up AWS CloudTrail and Config: A Step-by-Step Guide

Let’s create a basic setup to enable CloudTrail and Config and see how they work together.

Step 1: Enable CloudTrail in Your AWS Account

  1. Go to the CloudTrail Console.

  2. Click on Create Trail.

  3. Name your trail MyCloudTrail.

  4. Choose whether to create a new S3 bucket for storing logs or select an existing one.

  5. Enable Multi-Region Trail if you want to capture activity across all AWS regions.

  6. Click Create.

Now, CloudTrail will start recording every API call made in your AWS account and store the logs in the specified S3 bucket.

Step 2: Enable AWS Config

  1. Go to the AWS Config Console.

  2. Click on Get Started.

  3. Select the resources you want to track (e.g., S3, EC2).

  4. Set up a Config Rule (e.g., s3-bucket-public-read-prohibited to ensure no S3 buckets are public).

  5. Choose an existing S3 bucket or create a new one for storing the configuration history.

  6. Click Next and Confirm.

AWS Config will now continuously record the configuration state of your selected resources.

Step 3: Test the Setup

  1. Make a Change: Go to the EC2 Console and change the security group of an existing EC2 instance.

  2. Check CloudTrail Logs:
    Go to your CloudTrail trail and view the logs to see the API call for the change you just made.

  3. Check AWS Config:
    Go to the Config Console and see the recorded configuration change. You’ll see details like before and after states of your EC2 instance.

Best Practices for Using CloudTrail and Config

  1. Enable CloudTrail Across All Regions:
    This ensures that you capture all activity, even in regions you don’t actively use.

  2. Set Up Config Rules for Compliance:
    Create rules to ensure resources like S3 buckets and EC2 instances are configured according to your organization’s policies.

  3. Use CloudWatch for Real-Time Alerts:
    Integrate CloudTrail and Config with CloudWatch to get real-time alerts when suspicious activities or non-compliant changes are detected.

  4. Regularly Review CloudTrail Logs:
    Periodically review CloudTrail logs to identify unusual activities or unauthorized access attempts.

Summary

Today, we explored:

  • What AWS CloudTrail and AWS Config are and how they help monitor and audit your AWS environment.

  • The key differences between CloudTrail and Config.

  • Setting up both services to track API activities and resource configurations.

What’s Next?

In Day 19, we’ll discuss high availability and disaster recovery strategies on AWS. We’ll see how to design resilient architectures that can handle failures and minimize downtime.

Stay tuned, and let’s keep this AWS learning journey going strong!

Hope you find this blog helpful. Please share your thoughts in the comments—it will help me refine and provide more insightful content. Happy Learning!

Connect with Me - LinkedIn - Twitter/X - Topmate

AWSDevopsKubernetesmonitoringcloudtrail