CloudTrail

This page describes steps to follow to setup real-time visualization of AWS assets (vpc, subnet and virtual server) using CloudTrail based approach.

Events

Note - Only mandatory attributes have been shown below for various events. You can remove all the attributes other than ones mentioned below (using eventbridge pipe etc) so that any sensitive information (e.g. account number) about your account is NOT posted to MechCloud.

1. Create Vpc

{
	"detail": {
		"eventSource": "ec2.amazonaws.com",
		"eventName": "CreateVpc",
		"awsRegion": "ap-south-1",
		"responseElements": {
			"vpc": {
				"vpcId": "vpc-0cccf79ebe39e344d"
			}
		}
	}
}

2. Delete Vpc

{
	"detail": {
		"eventSource": "ec2.amazonaws.com",
		"eventName": "DeleteVpc",
		"awsRegion": "ap-south-1",
		"requestParameters": {
			"vpcId": "vpc-0578af3ad4c046a4c"
		}
	}
}

3. Create Subnet

{
    "detail": {
        "eventSource": "ec2.amazonaws.com",
        "eventName": "CreateSubnet",
        "awsRegion": "ap-south-1",
        "responseElements": {
            "subnet": {
                "subnetId": "subnet-0ecb030bb9dff28df"
            }
        }
    }
}

4. Delete Subnet

{
    "detail": {
        "eventSource": "ec2.amazonaws.com",
        "eventName": "DeleteSubnet",
        "awsRegion": "ap-south-1",
        "requestParameters": {
            "subnetId": "subnet-0f04fcf48a46f8be6"
        }
    }
}

5. Create VM

{
	"detail": {
	    "eventSource": "ec2.amazonaws.com",
	    "eventName": "RunInstances",
	    "awsRegion": "ap-south-1",
	    "responseElements": {
	        "instancesSet": {
	            "items": [
	                {
	                    "instanceId": "i-0f376f70fbeb82fde"
	                }
	            ]
	        }
	    }
	}
}

6. Delete VM

{
	"detail": {
	    "eventSource": "ec2.amazonaws.com",
	    "eventName": "TerminateInstances",
	    "awsRegion": "ap-south-1",
	    "requestParameters": {
	        "instancesSet": {
	            "items": [
	                {
	                    "instanceId": "i-0f034f129e90fff61"
	                }
	            ]
	        }
	    }
	}
}	

Steps

1. Create a trail

  • Navigate to CloudTrail -> Trails.

  • Click on Create trail button to create a new trail with following details. This describes only few settings. You can adjust other settings as per your needs.

    • General Details

      • Trail name - mc-mgmt-events

      • (Optional) Make sure that Enable for all accounts in my organization option is UNCHECKED as selecting this may result in huge charges.

    • Events

      • Event type - Make sure ONLY Management events option is CHECKED.

    • Management events

      • Make sure only Write is CHECKED.

      • Make sure both Exclude AWS KMS events and Exclude Amazon RDS Data API events are CHECKED.

  • Select newly created trail and click on Stop logging button so that unnecessary events are NOT logged in the S3 button associated with the trail. A good practice is to enable logging for this trail just before real-time visualization starts and disable it at the end of real-time visualization.

2. Create an Event Bridge rule

Create an event bridge rule with the following details -

  • Define rule detail

    • Name - mc-cloudtrail-events

    • Event bus - default

    • Make sure that Enable the rule on the selected event bus is enabled.

    • Select Rule with an event pattern under Rule type.

  • Build event pattern

    • Creation method - Custom pattern (JSON editor)

    • Event pattern

{
	"source": [
		"aws.ec2"
	],
	"detail-type": [
		"AWS API Call via CloudTrail"
	],
	"detail": {
		"eventSource": [
			"ec2.amazonaws.com"
		],
		"eventName": [
			"CreateVpc",
			"DeleteVpc",
			"CreateSubnet",
			"DeleteSubnet",
			"RunInstances",
			"StartInstances",
			"StopInstances",
			"RebootInstances",
			"TerminateInstances"
		]
	}
}
  • Select target(s)

    • Target 1

      • Target types - AWS service

      • Select a target - SQS Queue

      • Queue - management-events.fifo

      • Message group ID - mc-cloudtrail-events

Last updated