How do I use CloudTrail to see if a security group or resource was changed in my AWS account?

Last updated: 2022-01-20

For auditing purposes, I want to look for changes made to a security group in my Amazon Virtual Private Cloud (Amazon VPC). What's the best way to review security group changes in my AWS account?

Short description

To view and monitor the security group event history in your AWS account, you can use any of the following AWS services and features:

Note: The following are some examples of security group-related API calls:

Resolution

To use CloudTrail Event history to review security group changes in your AWS account

Note: You can use CloudTrail to search event history for the last 90 days.

1.    Open the CloudTrail console.

2.    Choose Event history.

3.    In Filter, select the dropdown list. Then, choose Resource name.

4.    In the Enter resource name text box, enter your resource's name (for example, sg-123456789).

5.    For Time range, enter the desired time range. Then, choose Apply.

6.    In Event time, expand the event. Then, choose View event.

For more information, see Viewing CloudTrail events in the CloudTrail console.

Example CloudTrail event history event

Note: In this example, an inbound rule allows TCP port 998 from 192.168.0.0/32.

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "123456789:Bob",
        "arn": "arn:aws:sts::123456789:assumed-role/123456789/Bob",
        "accountId": "123456789",
        "accessKeyId": "123456789",
        "sessionContext": {
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2019-08-05T07:15:25Z"
            },
            "sessionIssuer": {
                "type": "Role",
                "principalId": "123456789",
                "arn": "arn:aws:iam::123456789:role/123456789",
                "accountId": "123456789",
                "userName": "Bob"
            }
        }
    },
    "eventTime": "2019-08-05T07:16:31Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "AuthorizeSecurityGroupIngress",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "111.111.111.111",
    "userAgent": "console.ec2.amazonaws.com",
    "requestParameters": {
        "groupId": "sg-123456789",
        "ipPermissions": {
            "items": [
                {
                    "ipProtocol": "tcp",
                    "fromPort": 998,
                    "toPort": 998,
                    "groups": {},
                    "ipRanges": {
                        "items": [
                            {
                                "cidrIp": "192.168.0.0/32"
                            }
                        ]
                    },
                    "ipv6Ranges": {},
                    "prefixListIds": {}
                }
            ]
        }
    },
    "responseElements": {
        "requestId": "65ada3c8-d72f-4366-a583-9a9586811111",
        "_return": true
    },
    "requestID": "65ada3c8-d72f-4366-a583-9a9586811111",
    "eventID": "6c604d53-d9c3-492e-a26a-a48ac3f711111",
    "eventType": "AwsApiCall",
    "recipientAccountId": "123456789"
}

To use Athena queries to review security group changes in your AWS account

Note: To use Athena to query CloudTrail Logs, you must have a trail configured to log to an Amazon Simple Storage Service (Amazon S3) bucket. You can use Athena to query CloudTrail Logs over the last 90 days.

1.    Open the Athena console.

2.    Choose Query Editor. The Athena query editor opens.

3.    In the Athena query editor, enter a query based on your use case. Then, choose Run query.

For more information, see Understanding CloudTrail Logs and Athena Tables.

Example query to return all CloudTrail events for security group creation and deletion

Important: Replace example table name with your table name.

SELECT *
FROM example table name
WHERE (eventname = 'CreateSecurityGroup' or eventname = 'DeleteSecurityGroup')
and eventtime > '2019-02-15T00:00:00Z'
order by eventtime asc

Example query to return all CloudTrail events for changes made to a specific security group

Important: Replace example table name with your table name.

SELECT *
FROM example table name
WHERE (eventname like '%SecurityGroup%' and requestparameters like '%sg-123456789%')
and eventtime > '2019-02-15T00:00:00Z'
order by eventtime asc;

To use AWS Config configuration history to review security group changes in your AWS account

Note: You can use AWS Config to view configuration history for security group event history beyond the default 90-day limit. You must have the AWS Config configuration recorder turned on. For more information, see Managing the configuration recorder.

1.    Open the CloudTrail console.

2.    Choose Event history.

3.    In Filter, select the dropdown list. Then, choose Event name.

4.    In the Enter event name text box, enter the type of event that you're searching for (for example, CreateSecurityGroup). Then, choose Apply.

5.    In Event time, expand the event.

6.    On the Resources Referenced pane, choose the clock icon in the Config timeline column to view the configuration timeline.

For more information, see Viewing resources referenced with AWS Config.


Did this article help?


Do you need billing or technical support?