November 07, 2017 / by jburks / In guides /

Analytics with AWS Cloud Trail

What is AWS CloudTrail ?

AWS CloudTrail allows AWS customers to record API calls and send log files to Amazon S3 buckets for storage. It is a web service that records your AWS API calls and delivers complex log files for your audit and analysis. The service records API activity data, such as

  • Identity of the API caller

  • Time of the API call

  • Source IP address of the API caller

  • Request parameters

  • Response elements returned by AWS service

Moreover, CloudTrail can be configured to publish a notification for each log file delivered, allowing users to take action upon each such delivery (a process that according to AWS should only take about 15 minutes). CloudTrail can be configured to aggregate log files across multiple accounts so that log files are delivered to a single S3 bucket.

How We Help

DNIF can help you answer questions like:

  • What actions did a user take over a given period of time?

  • What’s the source IP address for a given activity?

  • Which user activities failed due to inadequate permissions?

  • Which user changed the settings of a security group and when did the change occur?

  • When was a particular IP address associated with a network interface?

  • Which user launched or terminated an EC2 instance?

Well, we answer such questions by monitoring logs and analyzing them. The features listed below allow DNIF to help its users derive relevant insights from the log data.

  • Customized Dashboards for real time traffic flows

  • Easy to implement use cases (as per security, business, and user requirements)

  • Index, search, and analysis of performance and access logs

  • Report generation

  • Usage pattern determination

Use Cases
Create a dashboard for monitoring logs from Amazon Web Services

The dashboard above covers the following data points over the last 24 hours:

  • IAM user activity

  • Top actions performed

  • Top traffic sources

  • Highest login failure activity

IAM User Activity

AWS Identity and Access Management (IAM), integrated with AWS CloudTrail, is a service that logs AWS events created by or on behalf of your AWS account. Using information collected by CloudTrail, you can determine:

  • What requests were successfully made to AWS services

  • Who made the request

  • When it was made

Top Actions Performed

Displays a list of events that correspond to the activities performed within the last 24 hours.

Top Traffic Sources

Displays a list of all the source IPs that visited the bucket, indicating the level of traffic they generated.

Highest Login Failure Activity

Displays the number of failed logins in the past 24 hours, in a single value chart.

Other possible use cases which can be included:

  • Security Group Activity
  • Security Group Activity Over Time
  • All AWS Activities
  • Failed API Calls
  • Failed API Calls - Reason - Login Credentials and Permission Issues
  • Failed API Calls - Acct Breakup
  • Console Login Failures
  • Successful Console Logins
  • Successful Console Logins
  • Created Users
  • Deleted User
  • Created Roles
  • Deleted Roles
  • Created Access Key
  • Deleted Access Key
  • Successful Configuration Changes
  • Failed Configuration Changes
  • Created Security Groups
  • Deleted Security Groups
  • Security Group Activity Over Time