AWS Cloud Operations & Migrations Blog

Announcing AWS CloudTrail Lake Dashboards – Visualize and Analyze CloudTrail data

In January 2022, AWS announced general availability of AWS CloudTrail Lake, a managed audit and security lake that allows you to aggregate, immutably store and query activity logs for auditing, security investigation and operational troubleshooting. Since launch, thousands of customers have adopted this feature.

We are excited to announce that CloudTrail Lake dashboards are now generally available. CloudTrail Lake dashboards provide out-of-the-box visibility and top insights from your audit and security data directly within the CloudTrail Lake console. CloudTrail Lake features a number of AWS curated dashboards so you can get started right away – no detailed dashboard setup or SQL experience is required. It also offers the flexibility to drill down into additional details such as specific user activity or changed resources for further analysis and investigation using CloudTrail Lake SQL queries.

Auditing and compliance engineers can use the CloudTrail Lake dashboards to track progress of compliance mandates such as migration to TLS 1.2 and beyond. CloudTrail Lake dashboards will help security engineers closely track sensitive user activities such as deletion of trails or repeated access denied errors. Cloud operation engineers can get visibility to issues such as top service throttling errors from the curated dashboard.

In this blog post, we’ll walk you through how to use CloudTrail Lake dashboards as a starting point for your analysis workflows.

Prerequisites for CloudTrail Lake dashboards

  1. Enabling CloudTrail Lake – Please refer to this blog which explains how to enable CloudTrail Lake and refer to this blog if you would like to copy existing AWS CloudTrail trails events to an AWS CloudTrail Lake event data store (EDS).

Viewing CloudTrail Lake dashboards

After you have created an EDS, you can view the top trends and errors for your EDS in Lake dashboards.

  1. Navigate to Dashboard under Lake in the CloudTrail menu from the left navigation menu.
Select Dashboard under Lake

Figure 1: Select Dashboard under Lake

  1. When you first use CloudTrail Lake dashboards, you will be shown a message asking you to review and confirm that you understand you will be charged for running queries on an EDS. Please review and acknowledge the billing prompt.
Acknowledge the billing prompt

Figure 2: Acknowledge the billing prompt

  1. From the Dashboard page, select the EDS and dashboard you’d like to view. The list of available dashboards will change based upon the events available in the EDS you’ve selected. The Overview and Management Events dashboards are available for an EDS with CloudTrail management events. The S3 Data Events dashboard will only be accessible if you have an EDS that collects S3 data events.
Select EDS and Dashboard

Figure 3: Select EDS and Dashboard

  1. Select the time range to view, and choose Run queries. The dashboards will then start a number of queries to fetch data for the dashboard. Each widget in the dashboard will start its own query and display loading progress. Query run time is primarily controlled by the amount of data stored in your EDS and the time range selected.
  2. The dashboard will display data as queries complete.
Dashboard displaying CloudTrail Lake events

Figure 4: Dashboard displaying CloudTrail Lake events

  1. If you need to perform a further analysis of any widget, you can choose on View and analyze in query editor to access the CloudTrail Lake query editor. This allows you to conduct further analysis and explore the data in greater detail.
Choose on View and analyze in query editor to analyze further

Figure 5: Choose on View and analyze in query editor to analyze further

  1. CloudTrail Lake query editor will populate with the query used by the widget. You may modify the query as needed for deeper analysis.
Modify query in the Lake Query editor

Figure 6: Modify query in the Lake Query editor

Analyzing AWS curated dashboards

CloudTrail Lake will have a set of pre-configured dashboards for users to easily start visualizing CloudTrail events. As part of this launch, dashboards are not customizable

To start with, below are 3 CloudTrail Lake curated dashboards:

  1. Overview dashboard – Shows the most active users, AWS Regions, and AWS services by event count. You can also view information about read and write management event activity, most throttled events, and the top errors. This dashboard is available for event data stores that collect management events.
CloudTrail Lake Overview Dashboard

Figure 7: CloudTrail Lake Overview Dashboard

  1. Management Events dashboard – This dashboard is available for an EDS that collects management events. This dashboard shows console sign-in events, access denied events, destructive actions, and top errors by user. You can also view information about TLS versions and outdated TLS calls by user. Since all AWS service API endpoints require a minimum of TLS 1.2, CloudTrail management events also records TLS version which could be very useful for compliance engineers to know resources using TLSV1. Please refer to this blog for more details.
AWS Curated Dashboard for Management Events

Figure 8: AWS Curated Dashboard for Management Events

  1. S3 Data Events dashboard – Shows S3 account activity, most accessed S3 objects, top S3 users, and top S3 actions. This dashboard is available for event data stores that collect Amazon S3 data events.
AWS Curated Dashboard for S3 Events

Figure 9: AWS Curated Dashboard for S3 Events

Generally available today

You can use CloudTrail Lake dashboards in all AWS Regions where AWS CloudTrail Lake is available, including AWS GovCloud (US) Regions. Using AWS CloudTrail Lake dashboards will result in CloudTrail Lake query charges. Refer to the CloudTrail pricing page for details. To get started, see View Lake dashboards in the CloudTrail User Guide.

Conclusion

In the blog post, we’ve announced the new dashboards available in CloudTrail Lake. We’ve shown you how you can enable them, as well as how they can be used for your own analysis workflows. CloudTrail Lake dashboards can be a good starting point for investigations into CloudTrail data, allowing our customers the ability to dig deeper into elements they may have never considered querying before. We’re excited to see how customers leverage this new capability.

About the authors:

Yagya Vir Singh

Yagya Vir Singh is a Senior Technical Account Manager based in Nashville, Tennessee. He is passionate about AWS technologies and loves to help customers achieve their goals. Outside of the office, he loves to be with his friends and family and spend time outdoors.

Jay Vaidya

Jay is a Sr. Technical Account Manager in AWS. He likes to spend time with his family and friends. He enjoys watching soccer, taking day trips, or playing tennis on weekends. He is a huge Manchester United fan and always stays up to date with all the Manchester United news.

Levi Bracken

Levi Bracken is a Senior Manager of Software Development on the AWS CloudTrail team. He focuses on the customer facing aspects of CloudTrail, ensuring customers have the tools they need for security, operational and auditing workflows. He has been building on top of AWS for well over a decade. When not at work, he enjoys being outdoors on a trail with his family or on a road with his bike.