Types of CloudTrail Events
As discussed previously, an event is captured every time a call to the AWS API is made. This could be from the AWS Management Console, the AWS CLI, or one of the AWS SDKs. There are several types of events in CloudTrail. As a security professional and someone looking to take the AWS Certified Security Specialty Certification exam, you need to be able to distinguish between the different types of events:
- Management events: These are the events logged by default by the service and capture the management operations occurring in your account. AWS describes these as the control plane operations. The following are some examples of what would be captured as a management event:
- Items associated with configuring security, for example, creating a role or deleting a role (e.g., DeleteRole API operations)
- Items associated with registering devices, for example, creating or destroying an EC2 instance (e.g., RunInstances API operations)
- Items associated with routing data, for example, adding, removing, or modifying rules on a security group (e.g., CreateSecurityGroup API operations)
- Items associated with logging operations, for example, creating or modifying a CloudTrail trail (e.g., CreateTrail API operations)
When any activity occurs in your account, CloudTrail will capture and record that activity as a CloudTrail event. The event will contain the following details:
- Who performed the request
- The date and the time that the request was performed
- The source IP of the request
- What action was being performed
- The Region the action was conducted in
- The response to the request itself
- Data events: These events are not logged by default but can be turned on for a specific trail. Data events tend to come in at a high-volume rate; for this reason, you specify the exact type of event or events that you would like to be captured in your trail. There is an additional cost associated with capturing data events. Therefore, you need a strategy for what you want to capture and possibly for what amount of time. Look at these examples of what can be captured as a data event:
- Data activity on a DynamoDB table such as PutItem, UpdateItem, and DeleteItem API operations
- The Invoke API operation on an AWS Lambda function
- Amazon Cognito data events, including calls to the GetCredentialsForIdentity, GetId, GetOpenIdToken, GetOpenTokenForDeveloperIdentity, and UnlinkIdentity API calls
If you would like to see the complete list of data event types, you can find them at the following URL: https://packt.link/wkQOX
- Insight events: These events are not logged by default and can be optionally turned on. Once turned on, they capture unusual API call rate or error rate activity in your AWS account by analyzing management events. There are no specific insight events, as the insight events judge “normal” activity on your account versus the unusual activity it detects. Some examples of insight events could be the following:
- Unusual AWS Management Console sign-in events
- Access to AWS resources from new or unusual locations
- A sudden increase in API calls to a specific resource
- Suspicious API call patterns that could be indicative of an attack
- An unusual amount of resource creation or deletion activity
- An unusual volume of data transfer from an S3 bucket or other storage resource
- Unusual activities by the AWS account user
- Significant or unexpected changes to Identity and Access Management (IAM) policies that suggest a security compromise
These examples are for demonstration purposes only; each account’s insight events are based on usage patterns and activity.
With an understanding of the different types of events available to be logged by the AWS CloudTrail service, you will now learn how CloudTrail is set up by default.