Default Settings for CloudTrail – Logging and Monitoring – SCS-C02 Study Guide

Default Settings for CloudTrail

Before diving deeper into the features and functionality of the CloudTrail service, you first need to understand its default settings. Knowing this can be helpful when deciphering questions and answers regarding the CloudTrail service on the Security Specialty Certification exam. Be sure that you understand the following base concepts for the exam:

  • CloudTrail is enabled on your AWS account when you create it.
  • CloudTrail logs are encrypted using Amazon S3 server-side encryption (SSE). This can be changed to create logs encrypted with a KMS key.
  • CloudTrail publishes logs on average about every 5 minutes, multiple times per hour.
  • Trails are only viewable in the AWS Regions where they log events.

Now that you understand the default settings with the CloudTrail service, the next section will take you through the process of setting up a new trail.

Creating a New Trail in AWS CloudTrail

Even though CloudTrail is enabled by default in accounts, there are cases where turning on an additional trail makes sense. As part of the security team, you must ensure that all Regions and events are captured and stored with integrity. With all the valuable data in the trail, this can be a handy tool for developers working on items such as infrastructure as code or IAM features. Creating an additional trail in a particular Region for developers mitigates the risk of anything happening to the data contained in the original trail. It also allows the developers to toggle the features of the secondary trail on and off as they see fit.

The following steps will take you through the process of turning on an additional CloudTrail trail in a single Region:

  1. First, go to the CloudTrail service on the AWS Management Console using the following URL: https://packt.link/kB07A

You should now be on the dashboard page of CloudTrail.

  • Click on the button labeled Create Trail on the right side of the page.

You should now be on a page named Choose trail attributes.

  • For the name of the trail, enter security-cert. Leave the box blank to enable all the accounts in your organization, as this is just a single trail for a single Region.

Figure 7.7: CloudTrail setup screen

With this trail, you examined a scenario where developers needed access to the trail data. Therefore, you need to create a brand-new bucket to provide the correct access control to the development team to view the CloudTrail logs.

  • Keep the default name given here or name it something more relevant for you.

Figure 7.8: S3 bucket and folder selection for CloudTrail

  • With the sensitive nature of CloudTrail data, such as usernames and account numbers, enable Log file SSE-KMS encryption and, with that, create a new key. It is recommended that you name your key for this exercise packt-cloudtrail (this way, you know it will be safe to delete once you are done studying).

Figure 7.9: CloudTrail encryption key creation

  • For this example, turn off Log file validation since you are only making a single trail for a set of developers. Uncheck this box under Additional settings.

Figure 7.10: Additional settings dropdown

  • After completing the previous steps 1-6, you can scroll down to the bottom of the page and click on the orange Next button.

Once you press that Next button, you will be brought to the page to select which types of events you would like CloudTrail to log to this trail.

  • Management events is selected by default but enable Data events for this particular trail. Just remember that there is an additional charge for each additional dataset you choose for CloudTrail to record.

Figure 7.11: Event type selection for CloudTrail

  • Now scroll down to Management events and make sure that both the Read and Write API activities are checked.

Figure 7.12: Management events activity selection for CloudTrail

For data events, there are many options that you could choose to have recorded.

  1. To keep things simple, select all S3 data events by choosing the S3 data event type and keep the Log all events option.

Figure 7.13: Data event type selection for CloudTrail

  1. Now scroll to the bottom of the page and click on the Next button.
  2. This will bring you to the Review and create page for your new trail. Check the details to ensure that you have entered everything correctly, and if everything seems in order, scroll down to the bottom of the page and click the Create trail button.

You can now look at the data events for the S3 buckets enabled in your new CloudTrail trail.