In November 2013, we introduced AWS CloudTrail to trace person exercise and API utilization. AWS CloudTrail permits auditing, safety monitoring, and operational troubleshooting. CloudTrail data person exercise and API calls throughout AWS companies as occasions. CloudTrail occasions show you how to reply the questions of “who did what, the place, and when?”.
Lately we’ve got improved the power so that you can simplify your auditing and safety evaluation through the use of AWS CloudTrail Lake. CloudTrail Lake is a managed knowledge lake for capturing, storing, accessing, and analyzing person and API exercise on AWS for audit, safety, and operational functions. You may combination and immutably retailer your exercise occasions, and run SQL-based queries for search and evaluation.
We now have heard your suggestions that aggregating exercise data from various functions throughout hybrid environments is advanced and dear, however necessary for a complete image of your group’s safety and compliance posture.
At the moment we’re asserting help of ingestion for exercise occasions from non-AWS sources utilizing CloudTrail Lake, making it a single location of immutable person and API exercise occasions for auditing and safety investigations. Now you possibly can consolidate, immutably retailer, search, and analyze exercise occasions from AWS and non-AWS sources, akin to in-house or SaaS functions, in a single place.
Utilizing the brand new
PutAuditEvents API in CloudTrail Lake, you possibly can centralize person exercise data from disparate sources into CloudTrail Lake, enabling you to investigate, troubleshoot and diagnose points utilizing this knowledge. CloudTrail Lake data all occasions in standardized schema, making it simpler for customers to eat this data to comprehensively and shortly reply to safety incidents or audit requests.
CloudTrail Lake can also be built-in with chosen AWS Companions, akin to Cloud Storage Safety, Clumio, CrowdStrike, CyberArk, GitHub, Kong Inc, LaunchDarkly, MontyCloud, Netskope, Nordcloud, Okta, One Identification, Shoreline.io, Snyk, and Wiz, permitting you to simply allow audit logging by the CloudTrail console.
Getting Began to Combine Exterior Sources
You can begin to ingest exercise occasions from your individual knowledge sources or companion functions by selecting Integrations underneath the Lake menu within the AWS CloudTrail console.
To create a brand new integration, select Add integration and enter your channel title. You may select the companion utility supply from which you wish to get occasions. For those who’re integrating with occasions from your individual functions hosted on-premises or within the cloud, select My customized integration.
For Occasion supply location, you possibly can select locations on your occasions from this integration. This permits your utility or companions to ship occasions to your occasion knowledge retailer of CloudTrail Lake. An occasion knowledge retailer can retain your exercise occasions for per week to as much as seven years. Then you possibly can run queries on the occasion knowledge retailer.
Select both Use present occasion knowledge shops or Create new occasion knowledge retailer—to obtain occasions from integrations. To be taught extra about occasion knowledge retailer, see Create an occasion knowledge retailer within the AWS documentation.
You too can arrange the permissions coverage for the channel useful resource created with this integration. The data required for the coverage relies on the mixing sort of every companion functions.
There are two varieties of integrations: direct and resolution. With direct integrations, the companion calls the
PutAuditEvents API to ship occasions to the occasion knowledge retailer on your AWS account. On this case, that you must present Exterior ID, the distinctive account identifier supplied by the companion. You may see a hyperlink to companion web site for the step-by-step information. With resolution integrations, the appliance runs in your AWS account and the appliance calls the
PutAuditEvents API to ship occasions to the occasion knowledge retailer on your AWS account.
To search out the Integration sort on your companion, select the Accessible sources tab from the integrations web page.
After creating an integration, you will want to offer this Channel ARN to the supply or companion utility. Till these steps are completed, the standing will stay as incomplete. As soon as CloudTrail Lake begins receiving occasions for the built-in companion or utility, the standing subject can be up to date to replicate the present state.
To ingest your utility’s exercise occasions into your integration, name the
PutAuditEvents API so as to add the payload of occasions. Make sure that there is no such thing as a delicate or personally figuring out data within the occasion payload earlier than ingesting it into CloudTrail Lake.
You may make a JSON array of occasion objects, which features a required user-generated ID from the occasion, the required payload of the occasion as the worth of EventData, and an elective checksum to assist validate the integrity of the occasion after ingestion into CloudTrail Lake.
The next instance exhibits use the
put-audit-events AWS CLI command.
$ aws cloudtrail-data put-audit-events --channel-arn $ChannelArn --external-id $UniqueExternalIDFromPartner --audit-events , "Id": "7e5966e7-a999-486d-b241-b33a1671aa74", "EventData":""eventVersion": .02","eventSource":"MyCustomLog1", ...", "EventDataChecksum":"848df986e7dd61f3eadb3ae278e61272xxxx",
On the Editor tab within the CloudTrail Lake, write your individual queries for a brand new built-in occasion knowledge retailer to verify delivered occasions.
You may make your individual integration question, like getting all principals throughout AWS and exterior sources which have made API calls after a selected date:
SELECT userIdentity.principalId FROM $AWS_EVENT_DATA_STORE_ID WHERE eventTime > '2022-09-24 00:00:00' UNION ALL SELECT eventData.userIdentity.principalId FROM $PARTNER_EVENT_DATA_STORE_ID WHRERE eventData.eventTime > '2022-09-24 00:00:00'
To be taught extra, see CloudTrail Lake occasion schema and pattern queries that will help you get began.
You may see the record of our launch companions to help a CloudTrail Lake integration possibility within the Accessible sources tab. Listed below are weblog posts and bulletins from our companions who collaborated on this launch (some can be added within the subsequent few days).
AWS CloudTrail Lake now helps ingesting exercise occasions from exterior sources in all AWS Areas the place CloudTrail Lake is accessible at present. To be taught extra, see the AWS documentation and every companion’s getting began guides.
In case you are focused on turning into an AWS CloudTrail Companion, you possibly can contact your traditional companion contacts.