1. CloudTrail
CloudTrail is the AWS service that lets you log, monitor and analyze a lot of different access activities all across your AWS account. You can use cloudtrail to monitor anything from who logged in to your AWS account, what did they do, what resources they created etc.
1.1. Access CloudTrail
Click “Services” in the AWS management console.
Click “CloudTrail” under the “Management Tools” section.
1.2. Console login history
-
In the CloudTrail window left hand menu bar, click “Event history”.
-
Filter the events history to only list the console login history, to find out who logged in to your AWS account, when they logged in to your account and from where (IP) they logged in to your account.
-
Choose “Event name” for Filter.
-
Choose “ConsoleLogin” for Filter value.
-
The above steps will show all the console login history. But, to display the IP address, click the “Show/Hide Columns” icon (circled in blue, in the above screenshot).
-
Choose the columns to display as shown in the below screenshot. Click “Save” to show the updated columns.
The final list should show the IP address of the user login to your AWS console.
1.3. EC2 Instance starting history
Use the Filter - “Event name” and the filter value - “StartInstances” to list all the instances started by all the users and their IP addresses in your account.
1.4. Log history in S3
Event history only shows you 90 days of history. If you want to log/save/archive all your activities, then you need to save the history in your S3 bucket, by creating and configuring a trail.
1.4.1. Create a trail
-
Click “Trails” in the CloudTrail left hand menu option.
-
In the Trails window, click “Create trail” button.
1.4.2. Configure a trail
In the Create Trail window;
-
Enter a name for the “Trail name”
-
Choose “No” for “Apply trail to all regions”
-
Enter a name for your “S3 bucket”, where this trail log will be stored
-
Click “Create” to create the trail.
1.4.3. Access your trail
Click on the name of your trail (nihtrail in the below screenshot), from the trails list.
1.4.4. Configure CloudWatch Logs
In the trail configuration page, scroll down to the “CloudWatch Logs” section and click the “Configure” button.
-
In the resulting window, accept the “DefaultLogGroup” name and click “Continue”.
-
Also, in the following window, click “Allow” to provide necessary permissions for the CloudTrail services to work with the CloudWatch services.
2. CloudWatch
CloudWatch is an AWS service that watches for events in your account/instance activity/log streams, creates alarms and sends appropriate notifications.
Click “Services” in the AWS management console menu bar and click “CloudWatch” under the “Management Tools” section
2.1. Create metric filter
-
In the CloudWatch window, click “Logs” option from the left hand menu.
-
In the resulting loggroups list, click to choose the loggroup that we created using our cloudtrail.
-
Click “Create Metric Filter”.
2.1.1. Filter for “StartInstances” event
In the filter configuration window, enter the following to filter for the event “StartInstances”;
{ ($.eventName = StartInstances) }
Click “Assign Metric”.
2.1.2. Create Filter
-
In the Create Filter window (Step 2), give a name for the “Metric Name”.
-
Click Show advanced metric settings.
-
Make sure you have “1” set for Metric Value.
-
Click “Create Filter”
2.2. Set an alarm for instance status
Now that the filter metric has been created, click the “Create Alarm” link in the corresponding Filter (as shown in the below screenshot), to create an alarm that will also send an email notification whenever an new instance is started in your account.
2.2.1. Configure Alarm
In the Create Alarm window;
-
Enter a name for your alarm
-
Enter the threshold count as “1”
-
In the Actions section, Click - “New List”
-
Enter a topic for “Send notification to”
-
Enter an email address for “Email list”
-
Click “Create Alarm” button
2.2.2. Confirm email address
Check your alarm notification email and click the confirmation link to confirm the notification subscription.
2.2.3. Test CloudTrail and CloudWatch
Once this confirmation is made, anytime a new instance is created in your account, the cloudtrail will log it and the cloudwatch will set the alarm and send an email notification to your subscribed email address.
3. Monitoring Billing
AWS Budgets is a service that lets you specify a billing threshold which when crossed, an email notification could be sent out.
-
Click your account name in the AWS management console top menu bar, near right hand corner.
-
Click “My billing Dashboard”.
-
Click “Budgets”
-
Click “Create budge”
3.1. Bill Details
In the budget details section of the budget;
-
Give your budget a name
-
Enter a budgeted amount
In the notifications section;
-
Enter a percentage for the threshold
-
Enter an email address to send the notification
-
Click “Create” to create the budget.