Amazon CloudTrail logs
CloudTrail is an API log monitoring web service offered by AWS. It enables AWS customers to record API calls and sends these log files to Amazon S3 buckets for storage. The service provides details of API activity such as the identity of the API caller, the time of the API call, the source IP address of the API caller, the requests made and response elements returned by the AWS service. In addition, it captures a few non-API events (AWS service events and AWS console sign-in events).
CloudTrail can also be configured to publish a notification for every log file that is delivered, allowing users to take action upon log file delivery.
(I) Enable CloudTrail
- Login to the AWS console.
- Go to AWS Services → Management Tools → CloudTrail.
- Click Add new trail.
- Click Advanced and fill in the missing information.
Create an SNS topic. Refer the below image for the correct settings.
(III) Create an SQS queue and subscribe to the SNS topic created in Step II
- Go to AWS Services → Messaging → Simple Queue Service (SQS).
- Click Create New Queue and fill in the necessary information.
- Now, this SQS queue must be subscribed to the SNS Topic created when you enabled CloudTrail. Follow the below given steps.
- Select the SQS queue created.
- From the Queue Action drop down menu,select Subscribe Queue to SNS Topic.
(IV) Add the created SQS queue as a data source in Cloud Security Plus
- Login to the Cloud Security Plus console.
- Go to Settings and click on Add Data Source.
- Select CloudTrail from the Data source drop-down menu.
- Choose the AWS region, the trail and the SQS queue.
- Click Save.