How can I search CloudTrail event history to determine how a security group or resource was changed?

Last updated: 2019-09-03

I want to view security group API call event history for auditing purposes including:

Resolution

Use AWS CloudTrail event history, Amazon Athena queries, or AWS Config configuration history to view security group event history.

CloudTrail event history

You can use the CloudTrail event history view to search for security group event history over the last 90 days.

1.    Open the CloudTrail Console.

2.    Choose Event history.

3.    Select the Filter drop-down menu, and choose Resource name.

4.    In the Enter resource name field, enter the name of your resource. For example, sg-123456789, and then choose enter on your device.

5.    Expand the Event time, and then choose View event.

In this example, an inbound rule allows TCP port 998 from 192.168.0.0/32:

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "123456789:Bob",
        "arn": "arn:aws:sts::123456789:assumed-role/123456789/Bob",
        "accountId": "123456789",
        "accessKeyId": "123456789",
        "sessionContext": {
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2019-08-05T07:15:25Z"
            },
            "sessionIssuer": {
                "type": "Role",
                "principalId": "123456789",
                "arn": "arn:aws:iam::123456789:role/123456789",
                "accountId": "123456789",
                "userName": "Bob"
            }
        }
    },
    "eventTime": "2019-08-05T07:16:31Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "AuthorizeSecurityGroupIngress",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "111.111.111.111",
    "userAgent": "console.ec2.amazonaws.com",
    "requestParameters": {
        "groupId": "sg-123456789",
        "ipPermissions": {
            "items": [
                {
                    "ipProtocol": "tcp",
                    "fromPort": 998,
                    "toPort": 998,
                    "groups": {},
                    "ipRanges": {
                        "items": [
                            {
                                "cidrIp": "192.168.0.0/32"
                            }
                        ]
                    },
                    "ipv6Ranges": {},
                    "prefixListIds": {}
                }
            ]
        }
    },
    "responseElements": {
        "requestId": "65ada3c8-d72f-4366-a583-9a9586811111",
        "_return": true
    },
    "requestID": "65ada3c8-d72f-4366-a583-9a9586811111",
    "eventID": "6c604d53-d9c3-492e-a26a-a48ac3f711111",
    "eventType": "AwsApiCall",
    "recipientAccountId": "123456789"
}

For more information, see Viewing CloudTrail Events in the CloudTrail Console.

Athena queries

You can use Athena queries to search CloudTrail logs for security group event history over the last 90 days.

Note: You must have a trail enabled to log to an S3 bucket.

1.    Open the Athena Console.

2.    Choose Query Editor.

3.    In the Athena query editor, copy and paste the following query:

Note: Replace example table name with your table name.  

SELECT *
FROM example table name
WHERE (eventname = 'CreateSecurityGroup' or eventname = 'DeleteSecurityGroup')
and eventtime > '2019-02-15T00:00:00Z'
order by eventtime asc

4.    Choose Run query.

This query results track security group creation and deletion.

5.    You can query all changes made to a specific security group with the following query:  

SELECT *
FROM your example table name
WHERE (eventname like '%SecurityGroup%' and requestparameters like '%sg-123456789%')
and eventtime > '2019-02-15T00:00:00Z'
order by eventtime asc;

For more information, see Understanding CloudTrail Logs and Athena Tables.

AWS Config configuration history

You can use AWS Config to view configuration history for security group event history beyond the default 90-day limit.

Note: You must have the AWS Config configuration recorder turned on. For more information, see Managing the Configuration Recorder.

  1. Open the CloudTrail Console.
  2. Choose Event history.
  3. Select the Filter drop-down menu, and choose Event name.
  4. In the Enter event name field, enter the name of your resource. For example, CreateSecurityGroup, and then choose Enter on your device.
  5. Expand the Event time.
  6. In Resources Referenced, choose the clock icon to view the configuration timeline.

For more information, see Viewing Resources Referenced with AWS Config.  


Did this article help you?

Anything we could improve?


Need more help?