AWS Cloud Operations & Migrations Blog

Streamline AWS CloudTrail Logs Using Event Filters

In November 2016, AWS CloudTrail announced a new feature that provides the ability to filter events that are collected within a CloudTrail trail. This simple feature helps AWS customers save time and money by creating trails that contain a subset of overall API operations and account activity.

In this post, I show you how to add event filters when creating a trail from the AWS Management Console or the AWS CLI.

A common and often recommended CloudTrail setup is to have two or more trails configured within your AWS account. One trail is for security and auditing purposes, leverages Amazon S3 file encryption and log file validation, and is stored in an S3 bucket with a policy allowing only security or audit team access.

Additional trails are often stored in a separate S3 bucket and used to send data to 3rd party tools, set up for the DevOps team to access and use, or leveraged by support teams to troubleshoot and better investigate account issues.

The security and audit trail (Trail 1) is often required to capture and log all activity. The operations trail (Trail 2) is often only concerned with events that change or have the potential to make changes within the account. In addition, the first copy of management events is delivered free of charge while additional copies are charged by number of events. For more information, see CloudTrail pricing.

Event filters

When you configure your trail to log data events or management events, you can specify whether you want read-only or write-only events for each event type, or both. This can streamline your trails to show only the events that are most important to you and potentially help save on the cost of the trail as well as the downstream services that are consuming the events.

Event filter definitions:

  • Read-only
    Includes API operations that read your resources, but don’t make changes. For example, read-only events include the Amazon EC2 DescribeSecurityGroups and DescribeSubnets API operations as well as all other List and Describe type calls. These operations return only information about your Amazon EC2 resources and don’t change your configurations or resources.
  • Write-only
    Includes API operations that modify (or might modify) your resources. For example, the Amazon EC2 RunInstances and TerminateInstances API operations modify your instances. Console sign-in events are also considered write-only.
  • All
    Includes both read-only and write-only API operations.

Example: Creating a multi-region trail with write-only management events

The following example could be used for a secondary operations trail (Trail 2) described above. This shows how you can create a multi-region trail with write-only management events from both the AWS Management Console and AWS CLI.

To create a multi-region trail in the console

1. Open the CloudTrail console.

2. Choose Trails, Add new trail.

3. On the Create Trail page, fill out the required fields. For more information, see Creating a Trail in the Console. In the Management Event section, apply the Event Filter by selecting Write-only. Event filters apply separately to both management events and data events. For this example, leave the data event section blank, as shown below.

4. Choose Create.

To create a multi-region trail using the CLI

1. Create the trail and S3 bucket. For more information, see Creating a Trail with the AWS Command Line Interface.

aws cloudtrail create-subscription --name=writeonlytrail --s3-new-bucket=thirdpartybucket

2. Update the trail to apply to all regions:

aws cloudtrail update-trail --name writeonlytrail --is-multi-region-trail

3. Apply an event selector to the trail. For more information, see put-event-selectors.

aws cloudtrail put-event-selectors --trail-name writeonlytrail --event-selectors '[{ "ReadWriteType": "WriteOnly", "IncludeManagementEvents":true}]'

If you are running the AWS CLI from a Windows command prompt, modify the command to use double quotes to enclose the JSON data structure. For more information, see Quoting Strings.

aws cloudtrail put-event-selectors --trail-name writeonlytrail --event-selectors "[{\"ReadWriteType\":\"WriteOnly\",\"IncludeManagementEvents\":true}]"

Summary

Whether you used the AWS Management Console or the AWS CLI, you’ve now created a multi-region trail that collects only write-only management events. For more information, see Logging Data and Management Events for Trails.

If you have questions or suggestions, please comment below.

 

Bob O’Dell is a Sr. Product Manager for AWS CloudTrail. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of AWS accounts. Bob enjoys working with customers to understand how CloudTrail can meet their needs and continue to be an integral part of their solutions going forward. In his spare time, he enjoys spending time running, hiking, and adventuring through the Pacific Northwest.