# CloudTrail

### Events

<mark style="color:blue;">**Note**</mark> <mark style="color:blue;">**- Only mandatory attributes have been shown below for various events. You can remove all the attributes other than ones mentioned below (using eventbridge pipe etc) so that any sensitive information (e.g. account number) about your account is NOT posted to MechCloud.**</mark>

#### 1. Create Vpc

```json
{
	"detail": {
		"eventSource": "ec2.amazonaws.com",
		"eventName": "CreateVpc",
		"awsRegion": "ap-south-1",
		"responseElements": {
			"vpc": {
				"vpcId": "vpc-0cccf79ebe39e344d"
			}
		}
	}
}
```

#### 2. Delete Vpc

```json
{
	"detail": {
		"eventSource": "ec2.amazonaws.com",
		"eventName": "DeleteVpc",
		"awsRegion": "ap-south-1",
		"requestParameters": {
			"vpcId": "vpc-0578af3ad4c046a4c"
		}
	}
}
```

#### 3. Create Subnet

```json
{
    "detail": {
        "eventSource": "ec2.amazonaws.com",
        "eventName": "CreateSubnet",
        "awsRegion": "ap-south-1",
        "responseElements": {
            "subnet": {
                "subnetId": "subnet-0ecb030bb9dff28df"
            }
        }
    }
}
```

#### 4. Delete Subnet

```json
{
    "detail": {
        "eventSource": "ec2.amazonaws.com",
        "eventName": "DeleteSubnet",
        "awsRegion": "ap-south-1",
        "requestParameters": {
            "subnetId": "subnet-0f04fcf48a46f8be6"
        }
    }
}
```

#### 5. Create VM

```json
{
	"detail": {
	    "eventSource": "ec2.amazonaws.com",
	    "eventName": "RunInstances",
	    "awsRegion": "ap-south-1",
	    "responseElements": {
	        "instancesSet": {
	            "items": [
	                {
	                    "instanceId": "i-0f376f70fbeb82fde"
	                }
	            ]
	        }
	    }
	}
}
```

#### 6. Delete VM

```json
{
	"detail": {
	    "eventSource": "ec2.amazonaws.com",
	    "eventName": "TerminateInstances",
	    "awsRegion": "ap-south-1",
	    "requestParameters": {
	        "instancesSet": {
	            "items": [
	                {
	                    "instanceId": "i-0f034f129e90fff61"
	                }
	            ]
	        }
	    }
	}
}	
```

### Steps

#### 1. Create a trail

* Navigate to **CloudTrail -> Trails**.
* Click on **Create trail** button to create a new trail with following details. This describes only few settings. You can adjust other settings as per your needs.
  * **General Details**
    * **Trail name** - mc-mgmt-events
    * (Optional) Make sure that **Enable for all accounts in my organization** option is <mark style="color:blue;">**UNCHECKED as selecting this may result in huge charges.**</mark>
  * **Events**
    * **Event type** - Make sure ONLY Management events option is CHECKED.
  * **Management events**
    * Make sure only **Write** is CHECKED.
    * Make sure both **Exclude AWS KMS events** and **Exclude Amazon RDS Data API events** are CHECKED.
* Select newly created trail and click on **Stop logging** button so that unnecessary events are NOT logged in the S3 button associated with the trail. <mark style="color:blue;">**A good practice is to enable logging for this trail just before real-time visualization starts and disable it at the end of real-time visualization.**</mark>

#### 2. Create an Event Bridge rule

Create an event bridge rule with the following details -

* **Define rule detail**
  * **Name** - mc-cloudtrail-events
  * **Event bus** - default
  * Make sure that **Enable the rule on the selected event bus** is enabled.
  * Select **Rule with an event pattern** under **Rule type**.
* **Build event pattern**
  * **Creation method** - Custom pattern (JSON editor)
  * **Event pattern**

```json
{
	"source": [
		"aws.ec2"
	],
	"detail-type": [
		"AWS API Call via CloudTrail"
	],
	"detail": {
		"eventSource": [
			"ec2.amazonaws.com"
		],
		"eventName": [
			"CreateVpc",
			"DeleteVpc",
			"CreateSubnet",
			"DeleteSubnet",
			"RunInstances",
			"StartInstances",
			"StopInstances",
			"RebootInstances",
			"TerminateInstances"
		]
	}
}
```

* **Select target(s)**
  * **Target 1**
    * **Target types -** AWS service
    * **Select a target** - SQS Queue
    * **Queue** - management-events.fifo
    * **Message group ID** - mc-cloudtrail-events


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mechcloud.io/cloud-computing/real-time-visualization/aws/cloudtrail.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.