The Sumo Logic Application for CloudTrail provides proactive analytics and visualization on top of the CloudTrail log data to provide actionable security and operations forensics.
3. What is CloudTrail?
You are making API calls…
On a growing set of services around the world..
CloudTrial is continuously recording API calls…
And delivering log files to you
Nice right? Let’s have some more details…
4. What is CloudTrail?
CloudTrail records API calls in your account and delivers a log file to your S3 bucket
Typically, delivers an event within 15 minutes of the API call
Log files are delivered ~5min
7. Information in a recorded API call
Who made the API call?
When was the API call made?
What was the API call?
What were the resources that were acted up on in the API call?
Where was the API call made from?
8. What is NOT recorded?
State transitions of AWS resources. Example: An EC2 instance transitioning from
pending to a running state
Allowed or denied traffic information for VPC security groups and ACL’s
Successful and failed AWS Management Console sign-in events
14. CloudTrail Use Cases
User Monitoring
Geo Location of All Users
Operations
Network and Security
Requested AWS services over
time
Main users in the AWS account
Admin users activities over time
Authorization failures over time
Recent Activity by Administrative Users
Created and Deleted Network Security Events
Launched and terminated instances
by user
Network and Security Events Over Time
Recent Security Group and Network ACL
Changes
Network ACL with All Allowed Ingress/Egress
API calls by AWS region
Elastic IP address operations
Created and deleted resources
over time