Amazon CloudTrail and CloudWatch are two security pillars of your cloud. Majorly they must maintain logs, create metrics of sign-ins and notify the subscribed user about sign-ins. This way the user can react immediately. Since the reach of these two is incomparable, you can subscribe to them and have their services in more than 32 assigned regions. To ensure that Amazon CloudTrail and CloudWatch perform their duty without any delay, ensure that CloudTrail logs are delivered to CloudWatch alarms. For their configuration, you need to check their integrated status.
How to monitor Amazon CloudTrail Log files with Amazon CloudWatch Logs?
- First, you need to configure your trails to send log events to CloudWatch Logs.
- To evaluate log events for matches in terms, phrases or values, define the CloudWatch metric filters. For example, you can monitor events in Console Login.
- Assign CloudWatch metrics to the metric filter.
- Create CloudWatch alarms which are triggered by the thresholds and time periods specified by you. You can set up alarms to get notified when alarms are triggered so that you can take the required action.
- You can also automate a particular action in response to a particular alarm by configuring CloudWatch.
How Centilytics helps you in monitoring configuration status?
Centilytics have a dedicated insight to check whether CloudWatch logs are configured or not. It saves your time and effort to not look around in AWS console. Even if it stops due to an error it will indicate its severity and warn you about the configuration. So, your data always get protected and you get notified about every update.
Insight Description:
|
OK: Amazon CloudTrail has CloudWatch logs groups configured with metric filter, alarm, SNS topic with at least one subscriber. | |
|
Warning: For your CloudWatch alarms, either no SNS topic is created or no individual is present in the list of topic subscribers to receive the alerts. | |
|
Critical: Delivery to CloudWatch logs not configured |
Description of further columns are as follows:
Account Id: Shows the respective account ID of the user’s account.
Account Name: Shows corresponding account name to the user’s account.
Region: This column shows the region of your instance where it has been used.
Identifier: Shows you the service with its trial name.
Trail Name: Shows the name of the trail that you have entered while creating your trial.
Bucket Name: Show the bucket name that you have specified to receive the log files.
Latest CloudWatch Delivery Time: Shows the time and date when your last logs were sent to the storage S3 bucket.
Filters Applicable:
| Filter Name | Description |
| Account Id | Applying account Id filter will display all the public snapshots for the selected account Id. |
| Region | Applying the region filter will display all the public snapshots corresponding to the selected region. |
| Severity | Applying severity filter will display public snapshots according to the selected severity type i.e. selecting critical will display all instances with critical severity. Same will be the case for Warning and Ok severity types. |
| Resource Tags | Applying resource tags filter will display those public snapshots which have been assigned the selected resource tag. For e.g., If the user has tagged some public snapshots by a resource tag named environment, then selecting an environment from the resource tags filter will display all those snapshots. |
| Resource Tags Value | Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment:production). Hence, the user can view data of all the resources which are tagged as “environment: production”. The user can use the tag value filter only when a tag name has been provided. |
| Compliance | Applying Compliance filter, you can further refine your security and health checks. |
Learn about AWS security best practices here.