Announcing AWS CloudTrail Lake Dashboards – Visualize and Analyze CloudTrail data
In January 2022, AWS announced general availability of AWS CloudTrail Lake, a managed audit and security lake that allows you to aggregate, immutably store and query activity logs for auditing, security investigation and operational troubleshooting. Since launch, thousands of customers have adopted this feature.
We are excited to announce that CloudTrail Lake dashboards are now generally available. CloudTrail Lake dashboards provide out-of-the-box visibility and top insights from your audit and security data directly within the CloudTrail Lake console. CloudTrail Lake features a number of AWS curated dashboards so you can get started right away – no detailed dashboard setup or SQL experience is required. It also offers the flexibility to drill down into additional details such as specific user activity or changed resources for further analysis and investigation using CloudTrail Lake SQL queries.
Auditing and compliance engineers can use the CloudTrail Lake dashboards to track progress of compliance mandates such as migration to TLS 1.2 and beyond. CloudTrail Lake dashboards will help security engineers closely track sensitive user activities such as deletion of trails or repeated access denied errors. Cloud operation engineers can get visibility to issues such as top service throttling errors from the curated dashboard.
In this blog post, we’ll walk you through how to use CloudTrail Lake dashboards as a starting point for your analysis workflows.
Prerequisites for CloudTrail Lake dashboards
- Enabling CloudTrail Lake – Please refer to this blog which explains how to enable CloudTrail Lake and refer to this blog if you would like to copy existing AWS CloudTrail trails events to an AWS CloudTrail Lake event data store (EDS).
Viewing CloudTrail Lake dashboards
After you have created an EDS, you can view the top trends and errors for your EDS in Lake dashboards.
- Navigate to Dashboard under Lake in the CloudTrail menu from the left navigation menu.
- When you first use CloudTrail Lake dashboards, you will be shown a message asking you to review and confirm that you understand you will be charged for running queries on an EDS. Please review and acknowledge the billing prompt.
- From the Dashboard page, select the EDS and dashboard you’d like to view. The list of available dashboards will change based upon the events available in the EDS you’ve selected. The Overview and Management Events dashboards are available for an EDS with CloudTrail management events. The S3 Data Events dashboard will only be accessible if you have an EDS that collects S3 data events.
- Select the time range to view, and choose Run queries. The dashboards will then start a number of queries to fetch data for the dashboard. Each widget in the dashboard will start its own query and display loading progress. Query run time is primarily controlled by the amount of data stored in your EDS and the time range selected.
- The dashboard will display data as queries complete.
- If you need to perform a further analysis of any widget, you can choose on View and analyze in query editor to access the CloudTrail Lake query editor. This allows you to conduct further analysis and explore the data in greater detail.
- CloudTrail Lake query editor will populate with the query used by the widget. You may modify the query as needed for deeper analysis.
Analyzing AWS curated dashboards
CloudTrail Lake will have a set of pre-configured dashboards for users to easily start visualizing CloudTrail events. As part of this launch, dashboards are not customizable
To start with, below are 3 CloudTrail Lake curated dashboards:
- Overview dashboard – Shows the most active users, AWS Regions, and AWS services by event count. You can also view information about read and write management event activity, most throttled events, and the top errors. This dashboard is available for event data stores that collect management events.
- Management Events dashboard – This dashboard is available for an EDS that collects management events. This dashboard shows console sign-in events, access denied events, destructive actions, and top errors by user. You can also view information about TLS versions and outdated TLS calls by user. Since all AWS service API endpoints require a minimum of TLS 1.2, CloudTrail management events also records TLS version which could be very useful for compliance engineers to know resources using TLSV1. Please refer to this blog for more details.
- S3 Data Events dashboard – Shows S3 account activity, most accessed S3 objects, top S3 users, and top S3 actions. This dashboard is available for event data stores that collect Amazon S3 data events.
Generally available today
You can use CloudTrail Lake dashboards in all AWS Regions where AWS CloudTrail Lake is available, including AWS GovCloud (US) Regions. Using AWS CloudTrail Lake dashboards will result in CloudTrail Lake query charges. Refer to the CloudTrail pricing page for details. To get started, see View Lake dashboards in the CloudTrail User Guide.
In the blog post, we’ve announced the new dashboards available in CloudTrail Lake. We’ve shown you how you can enable them, as well as how they can be used for your own analysis workflows. CloudTrail Lake dashboards can be a good starting point for investigations into CloudTrail data, allowing our customers the ability to dig deeper into elements they may have never considered querying before. We’re excited to see how customers leverage this new capability.
About the authors: