[참고] CloudTrail !!

 

[ CloudTrail ]

CloudTrail 은 사용자 이벤트 로깅과 비슷한 기능으로 default 로 활성화 되어있으며 무료임.

콘솔/SDK/CLI/AWS Services 에서의 히스토리를 확인할 수 있음

- Provides governance, comliance and audit for your AWS Account

- CloudTrail is enabled by default

- Get an history of events / API calls made within your AWS Account by : 

  Console/SDK/CLI/AWS Services

- Can put logs from CloudTrail into CloudWatch Logs or S3

- A trail can be applied to All Regions (default) or a single Region

- If a resource is deleted in AWS, ingestigate CloudTrail first.

 

[ CloudTrail Events ]

관리이벤트와 데이터 이벤트 CloudTrail Insights 이벤트 등으로 나눌 수 있음

보안/라우팅 설정 등의 AWS 계정의 리소스에 대해 수행되는 작업들, S3 object 레벨의 작업, Lambda 함수 실행 기록 등 (데이터 이벤트는 용량문제로 default 가 비활성화 상태임)

1. Management Events :

- Operations that are performed on resources in your AWS account

- Examples :

  Configuring security (IAM AttachRolePolicy)

  Configuring rules for routing data (Amazon EC2 CreateSubnet)

  Setting up logging (AWS CloudTrail CreateTrail)

- By default, trails are configured to log management events

- Can separte Read Events (that don't modify resources) from Write Events (that may modify resources)

2. Data Events :

- By default, data events are not logged (because high volume operations)

- Amazon S3 object-level activity (ex: GetObject, DeleteObject, PutObject) : can seperate Read and Write Events

- AWS Lambda function execution activity (that Invoke API)

3. CloudTrail Insights Events :

CloudTrail Insights 를 활성화하여 계정의 비정상적인 활동 감지

부정확한 자원 할당/서비스 사용량 초과 등

* 일반 관리 이벤트를 분석하여 기준선 생성 후 쓰기 이벤트를 지속적으로 분석하여 비정상적 패턴 감지

- Enable CloudTrail Insights to detect unusual activity in your account

inaccurate resource provisioning

hitting service limits

Bursts of AWS IAM actions

Gaps in periodic maintenance activity

- CloudTrail Insights analyzes normal management events to create a baseline

- And then continuously analyzes write events to detect unusual patterns

Anomalies appear in the CloudTrail console

Event is sent to Amazon S3

An EventBridge event is generated (for automation needs)

 

[ CloudTrail Events Retention ]

이벤트 로깅은 90일간 CloudTrail에 보관되며, 90일 이상 저장하고 싶으면 S3 에 쌓아야함. S3 쌓을 경우 Athena 를 사용하여 쿼리 할 수 있음

- Events are stored for 90 days CloudTrail

- To keep events beyond this period, log them to S3 and use Athena

 

 

 

출처 : https://developyo.tistory.com/397