|
In November 2013, we announced AWS CloudTrail to monitor consumer action and API usage. AWS CloudTrail enables auditing, security monitoring, and operational troubleshooting. CloudTrail records user exercise and API calls throughout AWS expert services as occasions. CloudTrail activities assist you reply the thoughts of “who did what, wherever, and when?”.
Not too long ago we have enhanced the potential for you to simplify your auditing and safety investigation by utilizing AWS CloudTrail Lake. CloudTrail Lake is a managed knowledge lake for capturing, storing, accessing, and analyzing user and API exercise on AWS for audit, protection, and operational reasons. You can combination and immutably store your exercise occasions, and operate SQL-centered queries for look for and assessment.
We have listened to your responses that aggregating exercise data from various purposes throughout hybrid environments is complex and highly-priced, but crucial for a thorough picture of your organization’s security and compliance posture.
Right now we are asserting assist of ingestion for action occasions from non-AWS sources making use of CloudTrail Lake, earning it a single place of immutable person and API exercise functions for auditing and stability investigations. Now you can consolidate, immutably retail outlet, search, and analyze exercise occasions from AWS and non-AWS resources, these as in-home or SaaS apps, in one spot.
Utilizing the new PutAuditEvents API in CloudTrail Lake, you can centralize consumer activity facts from disparate resources into CloudTrail Lake, enabling you to examine, troubleshoot and diagnose issues making use of this knowledge. CloudTrail Lake documents all functions in standardized schema, creating it easier for users to eat this facts to comprehensively and swiftly answer to stability incidents or audit requests.
CloudTrail Lake is also integrated with picked AWS Companions, these as Cloud Storage Stability, Clumio, CrowdStrike, CyberArk, GitHub, Kong Inc, LaunchDarkly, MontyCloud, Netskope, Nordcloud, Okta, One Identification, Shoreline.io, Snyk, and Wiz, enabling you to simply enable audit logging by the CloudTrail console.
Finding Started off to Integrate External Resources
You can get started to ingest action gatherings from your have facts sources or spouse apps by deciding on Integrations below the Lake menu in the AWS CloudTrail console.
To create a new integration, pick Add integration and enter your channel identify. You can opt for the associate software supply from which you want to get activities. If you’re integrating with events from your own apps hosted on-premises or in the cloud, decide on My customized integration.
For Event delivery locale, you can decide on destinations for your occasions from this integration. This lets your application or companions to provide gatherings to your party information retailer of CloudTrail Lake. An function facts retail outlet can retain your activity situations for a 7 days to up to 7 many years. Then you can run queries on the celebration information shop.
Opt for possibly Use current occasion information retailers or Make new party information keep—to obtain situations from integrations. To study additional about occasion details retail store, see Produce an party info retailer in the AWS documentation.
You can also set up the permissions plan for the channel source designed with this integration. The information needed for the plan is dependent on the integration type of just about every husband or wife apps.
There are two styles of integrations: immediate and answer. With immediate integrations, the lover phone calls the PutAuditEvents API to provide events to the event knowledge keep for your AWS account. In this circumstance, you will need to provide External ID, the one of a kind account identifier presented by the companion. You can see a connection to spouse site for the step-by-action tutorial. With resolution integrations, the software runs in your AWS account and the software phone calls the PutAuditEvents API to supply gatherings to the occasion details store for your AWS account.
To find the Integration kind for your companion, pick the Offered sources tab from the integrations site.
After developing an integration, you will want to give this Channel ARN to the resource or spouse software. Right up until these techniques are completed, the position will continue to be as incomplete. The moment CloudTrail Lake begins acquiring activities for the integrated partner or software, the position discipline will be updated to replicate the present point out.
To ingest your application’s action gatherings into your integration, connect with the PutAuditEvents API to incorporate the payload of occasions. Be guaranteed that there is no delicate or personally identifying information in the function payload prior to ingesting it into CloudTrail Lake.
You can make a JSON array of occasion objects, which contains a essential person-created ID from the function, the expected payload of the celebration as the worth of EventData, and an optional checksum to assist validate the integrity of the celebration after ingestion into CloudTrail Lake.
"AuditEvents": [
"Id": "event_ID",
"EventData": "event_payload", "EventDataChecksum": "optional_checksum",
,
... ]
The following illustration reveals how to use the set-audit-events AWS CLI command.
$ aws cloudtrail-info set-audit-gatherings
--channel-arn $ChannelArn
--exterior-id $UniqueExternalIDFromPartner
--audit-events
"Id": "87f22433-0f1f-4a85-9664-d50a3545baef",
"EventData":""eventVersion":.01","eventSource":"MyCustomLog2", ...",
,
"Id": "7e5966e7-a999-486d-b241-b33a1671aa74",
"EventData":""eventVersion":.02","eventSource":"MyCustomLog1", ...",
"EventDataChecksum":"848df986e7dd61f3eadb3ae278e61272xxxx",
On the Editor tab in the CloudTrail Lake, compose your very own queries for a new built-in party data retail store to test sent gatherings.
You can make your personal integration question, like having all principals across AWS and exterior assets that have designed API calls following a specific day:
Pick out userIdentity.principalId FROM $AWS_Function_Data_Retail store_ID
In which eventTime > '2022-09-24 00:00:00'
UNION ALL
Select eventData.userIdentity.principalId FROM $Husband or wife_Occasion_Knowledge_Retail store_ID
WHRERE eventData.eventTime > '2022-09-24 00:00:00'To understand a lot more, see CloudTrail Lake occasion schema and sample queries to assistance you get began.
Launch Partners
You can see the record of our launch companions to aid a CloudTrail Lake integration option in the Out there resources tab. Here are blog site posts and announcements from our partners who collaborated on this launch (some will be extra in the following couple days).
Now Readily available
AWS CloudTrail Lake now supports ingesting activity situations from external sources in all AWS Locations exactly where CloudTrail Lake is available nowadays. To master a lot more, see the AWS documentation and each and every partner’s acquiring started off guides.
If you are interested in getting an AWS CloudTrail Lover, you can speak to your normal lover contacts.
– Channy