Monitoring IAM user activity with CloudTrail logs

Introduction

In this lesson, we will learn how to monitor IAM user activity with CloudTrail logs in AWS. Monitoring IAM user activity is crucial for security and compliance reasons, as it allows you to track who is accessing your resources and what actions they are performing. CloudTrail logs provide detailed information about API calls made in your AWS account, including the identity of the caller, the time of the call, the source IP address, and more. By analyzing these logs, you can detect unauthorized access, troubleshoot operational issues, and ensure that your security policies are being followed.

Prerequisites

Before we begin, make sure you have the following prerequisites:

An AWS account
IAM user with permissions to access CloudTrail logs
Basic knowledge of AWS services and IAM

Enabling CloudTrail

The first step in monitoring IAM user activity is to enable CloudTrail in your AWS account. CloudTrail records API calls made in your account and stores the logs in an S3 bucket. To enable CloudTrail, follow these steps:

Go to the CloudTrail console in the AWS Management Console.
Click on “Create trail” and enter a name for your trail.
Choose the S3 bucket where you want to store the logs.
Configure the settings for your trail, such as the log file format and log file encryption.
Click on “Create trail” to enable CloudTrail.

Analyzing CloudTrail logs

Once CloudTrail is enabled, you can start analyzing the logs to monitor IAM user activity. You can use the CloudTrail console, AWS CLI, or SDKs to query the logs and extract relevant information. Here are some examples of how you can analyze CloudTrail logs:

Using the CloudTrail console

Go to the CloudTrail console and select your trail.
Click on “Event history” to view a list of API calls made in your account.
Use the filter options to search for specific events, such as IAM user actions or API calls from a specific IP address.

Using AWS CLI

You can also use the AWS CLI to query CloudTrail logs from the command line. Here are some example commands:

# List all CloudTrail trails in your account
aws cloudtrail describe-trails

# Get the most recent CloudTrail events
aws cloudtrail lookup-events

Using AWS SDKs

If you prefer to use a programming language, you can use the AWS SDKs to interact with CloudTrail logs. Here is an example using the AWS SDK for JavaScript:

import { CloudTrail, GetTrailStatusCommand } from "@aws-sdk/client-cloudtrail";

const client = new CloudTrail({ region: "us-east-1" });
const command = new GetTrailStatusCommand({ Name: "my-trail" });

client.send(command).then((response) => {
  console.log(response.TrailStatus);
}).catch((error) => {
  console.error(error);
});

Setting up alerts

To proactively monitor IAM user activity, you can set up CloudWatch alarms to alert you when specific events occur in your CloudTrail logs. For example, you can create an alarm to notify you when an IAM user makes a high number of API calls within a short period of time. Here’s how you can set up an alarm using the AWS Management Console:

Go to the CloudWatch console and click on “Alarms”.
Click on “Create alarm” and select the CloudTrail metric you want to monitor.
Configure the alarm threshold and actions, such as sending an email notification or triggering a Lambda function.

Conclusion

In this lesson, we learned how to monitor IAM user activity with CloudTrail logs in AWS. By enabling CloudTrail, analyzing the logs, and setting up alerts, you can proactively monitor and secure your AWS account. Key learnings from this lesson include:

Enabling CloudTrail to record API calls in your account
Analyzing CloudTrail logs using the console, AWS CLI, or SDKs
Setting up CloudWatch alarms to alert you of suspicious activity

Now that you have a better understanding of monitoring IAM user activity with CloudTrail logs, you can take proactive steps to enhance the security of your AWS account.

Lessons