aws ec2 linux cloudtrail cloudwatch s3

1. CloudTrail

CloudTrail is the AWS service that lets you log, monitor and analyze a lot of different access activities all across your AWS account. You can use cloudtrail to monitor anything from who logged in to your AWS account, what did they do, what resources they created etc.

1.1. Access CloudTrail

Click “Services” in the AWS management console.

Click “CloudTrail” under the “Management Tools” section.

j7-1jaQypXBnmFvnY-PvYrYwRt-EACmm7oXV4D0wGhcJowa1O7WHZevU2nE-FonkEKE75UJST6wiSE7G1MnZ3j8gjoVYHFLMtrZnjT2R3jMAV4oqCeZz6UFcq3gFLWIO2shpo0Zw

1.2. Console login history

In the CloudTrail window left hand menu bar, click “Event history”.
Filter the events history to only list the console login history, to find out who logged in to your AWS account, when they logged in to your account and from where (IP) they logged in to your account.
Choose “Event name” for Filter.
Choose “ConsoleLogin” for Filter value.

thcJSCSAlgVsccYhU3fZA4j94-5KrsEE6jrgrSB0bJcy_7McaJrrXAXiI-5qqwAbYSYDnbYYWjWd-pwgUVqW40ESHarUiIcjmqE05WBsA-cZLY3DR_LPgBacrGP_vqi68uEwz0ul

The above steps will show all the console login history. But, to display the IP address, click the “Show/Hide Columns” icon (circled in blue, in the above screenshot).
Choose the columns to display as shown in the below screenshot. Click “Save” to show the updated columns.

vPXcPKg6R0dnV952GkHhbKvc10Vb-dtjuujNshL1Cvv_VDOWpJTt3E-V8w1lyW6Bx-ej6o7G6NYZlrD9LkR1VDh8mzk0Wya53MGPPQt4JR6JPaZBXiyJQeIYnn2SDCXs6yBpuG3r

The final list should show the IP address of the user login to your AWS console.

1.3. EC2 Instance starting history

Use the Filter - “Event name” and the filter value - “StartInstances” to list all the instances started by all the users and their IP addresses in your account.

VKMD7MfCOVvSKnMvULzzSgwRx7cAFr3SvUCQYlY83NaoqeHqltqBqlMhUr60KX8rCOLT-Wz5n1pNwshYOpN7IrBoMn_usDPF7KYmJxoco-GTZP5rrYdesce3o8RaGLb_qAY5njaR

1.4. Log history in S3

Event history only shows you 90 days of history. If you want to log/save/archive all your activities, then you need to save the history in your S3 bucket, by creating and configuring a trail.

1.4.1. Create a trail

Click “Trails” in the CloudTrail left hand menu option.
In the Trails window, click “Create trail” button.

fUOPBsS8yMXW8kz0RC09_a_jI5k4kYT0e7ZHNJSuPS-wE2uLN1NhroFcc2-SUVLTgI37_6lQtlneUr1FXy2ZZQWGk8EFVBCWbfTlotzP8jy5p23ivpRk0g_Xce1TlkoruDxEBEfD

1.4.2. Configure a trail

In the Create Trail window;

Enter a name for the “Trail name”
Choose “No” for “Apply trail to all regions”
Enter a name for your “S3 bucket”, where this trail log will be stored
Click “Create” to create the trail.

BLIt_ho864ZcPkxtLQzAscal9NjaiUQFTE3ks0k_rBYmiEJm4gc02tV2_PmTaGZgQpFrILSX2qw1D5OcG8qf_Ts2cdEI_xvnW31yEGg9m_QJNaK7lP_6Jcu5Y5Qi2V1gfK1h5C_T

6ucyIjSGdU_zc5LhaI5msJNMnz86Jat6g06NZph43wWVj8n-HLtcnnyqSQzSChA5NoWzTYj5Is0fMl5d5ldwvu28UamQGiw1-dR5C6ZbLv3HzqLTXlwqU_SINC2oNQjTzUgVP7NY

1.4.3. Access your trail

Click on the name of your trail (nihtrail in the below screenshot), from the trails list.

Oea9oCp6RHdDypmwhoC5ywY8EcchdS-lNd6KHpVVGc_Q8FBw0buWcY9PhKvLk8XsO0t7otc8kuh3gBUm-tJGQc54cToWMr_Wu3TwNqpJ-24j7CyudlPsRYNnSf9pEEy1r2Ae6WO-

1.4.4. Configure CloudWatch Logs

In the trail configuration page, scroll down to the “CloudWatch Logs” section and click the “Configure” button.

wGT8jm-x4QhTQGcP_Sg6MGM_9ajccj5skoRx564mMccWI4x2fNpsGPJjRDqIwoWmzIXZcXKGxLv6F65N9bQ2nCnyfF_dvzyqp6OkLBxMCwiiYLqBAgeY_-0TY_pVm-qDfd-Rmymr

In the resulting window, accept the “DefaultLogGroup” name and click “Continue”.
Also, in the following window, click “Allow” to provide necessary permissions for the CloudTrail services to work with the CloudWatch services.

0i9ifMk8i8gFaFrZQ-a87o83FelZU6wNvdosEyAEeDTyPUI0tvFso2jaDh3x-P46X6W3F1F-tfx47WQ_gZOau5s2XPqTAhEIPwCkEh5unQ3Knr6uUMoWF8bGQtWpU7Fa2ONKISr5

2. CloudWatch

CloudWatch is an AWS service that watches for events in your account/instance activity/log streams, creates alarms and sends appropriate notifications.

Click “Services” in the AWS management console menu bar and click “CloudWatch” under the “Management Tools” section

2x0qPlALNRvMSoh4CI_puQdEGh_zsLDXHmtwXugT0AWXYRhVhrTPfTuUXFHNymA2StV9KK0T6mW7HwJWiFUPaiHY5QhvShy8N0tmkQ_-0SRogx0KOW5HYbz9xrq4Ty46O0qQOf7T

2.1. Create metric filter

In the CloudWatch window, click “Logs” option from the left hand menu.
In the resulting loggroups list, click to choose the loggroup that we created using our cloudtrail.
Click “Create Metric Filter”.

iCH8TToYnsa5ild7ybEjM8vfD-vJkezsgzHUokxkiYWSTUYyZeLHJXTqPmSfW_sMdMkmCNNaLAoSQb1oo3wVmIsKR1hJlM3_VopzXECUpKrFMxFtIELvOk6XWjhFQQKNln5hYuTB

2.1.1. Filter for “StartInstances” event

In the filter configuration window, enter the following to filter for the event “StartInstances”;

{ ($.eventName = StartInstances) }

Click “Assign Metric”.

dJ5VpYkbBHpyd3PS2xi94ldnGus6nFKzwtmU6oKHXwvfRGyJxopFZUUinIpxKdEdbYhYXmYE-vQ8BCPuyGHWVZTo8XAuJugLzauPY6wOYAclpj7hZqbj1NU7297pqnmLMtuOQ_K8

2.1.2. Create Filter

In the Create Filter window (Step 2), give a name for the “Metric Name”.
Click Show advanced metric settings.
Make sure you have “1” set for Metric Value.
Click “Create Filter”

qszIUA0CJ6sT5dK4oSRy5IP3EXd7zB-zS0vmq3jjqGAoPG1akb0ej8pOCdE8QO2jHrA3xOY-Mx-JrRGzcLM5MH75qZ3sYx6kJuToHTz_utf03njtr3k7hhpqp3iEpRaI3qO4MhNP

2.2. Set an alarm for instance status

Now that the filter metric has been created, click the “Create Alarm” link in the corresponding Filter (as shown in the below screenshot), to create an alarm that will also send an email notification whenever an new instance is started in your account.

PtDiROaP84d5wSpiO8AL519K2RC_68hStyrugG1zOYT_QJGFtxXhnWiqEAvtaEevGO9UZRExoMZEJ_Q52DpkdzhMI6W7L1pTuBA8bHhdVC-WUJ94DOoB8xi1BawqMXZarBP92qOZ

2.2.1. Configure Alarm

In the Create Alarm window;

Enter a name for your alarm
Enter the threshold count as “1”
In the Actions section, Click - “New List”
Enter a topic for “Send notification to”
Enter an email address for “Email list”
Click “Create Alarm” button

8cqj954v2slKwjPWGdcjboI1q8b4zeRLqrxq0PKM8IGNMAPvIwKtCFQHLNSwRVW-KirpLRkB3b5Sx8uzPX7lDdXBOwE3Hi_pYDWh5bF3O9SndwRSonbKSCrx3LqcqnZDznKDx7FP

2.2.2. Confirm email address

Check your alarm notification email and click the confirmation link to confirm the notification subscription.

flhEeXsWlHshmz-igOrXkxzSURXE_jTOnbRFK7IqQIosSBS7r9n5NoUJ36akoGfVdjNABFBWRQ0Bt4_xuQFWkJp6_nS2sfVxyQQSQ0a263Rnx3ERlOWknv6N17Tj7R2MJ9GTcluF

2.2.3. Test CloudTrail and CloudWatch

Once this confirmation is made, anytime a new instance is created in your account, the cloudtrail will log it and the cloudwatch will set the alarm and send an email notification to your subscribed email address.

I3Wt3xJ2U-I95ImKZFu_oZCDWPjIy74OqbxmNdLYlAbCyKcDrPn5yWrf0KCbfkNcCxIv21vYGPaX4a5uQGeE5ajcI1hkNVnxwaaQOhPCYpsiVnM6ay7RoAiWCqv5o8rw2UYvT_RO

3. Monitoring Billing

AWS Budgets is a service that lets you specify a billing threshold which when crossed, an email notification could be sent out.

Click your account name in the AWS management console top menu bar, near right hand corner.
Click “My billing Dashboard”.
Click “Budgets”
Click “Create budge”

B1tE8qrDe4c2a84WZRbmuuWRZUh2IIE4_8E-MwkSKKHi8_tT0WoDnPyubGjHoEG6OC7Kywj2lk3l1zNUXO17vde4TdTkncb64eLUyiXAV-biHrm06DSOfGbyEkqWYulRHa9TaAMW

3.1. Bill Details

In the budget details section of the budget;

Give your budget a name
Enter a budgeted amount

In the notifications section;

Enter a percentage for the threshold
Enter an email address to send the notification
Click “Create” to create the budget.

-znHR4ICoevZFNIEd1axoek29dpG9Z76jJliw-r4vbPSEyIu9A0VhSkcxFL03kD5E67K8Dts2PILTAe3hoVK8sdnoBhpH7qu78etW7CGjtV9ypQvSCmtySdEB4FK6SeupEokfwmd

viQNJt5hCXmSZ9ktHCeStpOuAySFMbBPCkcnF3g25zP-t8y_UjxhUoBZO1SYJ3x5euRyHnvlGmfqgrYWifNOhq-9lVPEEWW6_mednSmju0nqWJ8M3oKL63MnzE0z45BGHAry0ePG

Monitoring AWS access, resources and billing