|
In November 2013, we introduced AWS CloudTrail to trace person exercise and API utilization. AWS CloudTrail allows auditing, safety monitoring, and operational troubleshooting. CloudTrail data person exercise and API calls throughout AWS companies as occasions. CloudTrail occasions assist you reply the questions of “who did what, the place, and when?”.
Lately now we have improved the power so that you can simplify your auditing and safety evaluation by utilizing AWS CloudTrail Lake. CloudTrail Lake is a managed information lake for capturing, storing, accessing, and analyzing person and API exercise on AWS for audit, safety, and operational functions. You possibly can combination and immutably retailer your exercise occasions, and run SQL-based queries for search and evaluation.
Now we have heard your suggestions that aggregating exercise data from numerous purposes throughout hybrid environments is advanced and dear, however essential for a complete image of your group’s safety and compliance posture.
At this time we’re saying help of ingestion for exercise occasions from non-AWS sources utilizing CloudTrail Lake, making it a single location of immutable person and API exercise occasions for auditing and safety investigations. Now you may consolidate, immutably retailer, search, and analyze exercise occasions from AWS and non-AWS sources, resembling in-house or SaaS purposes, in a single place.
Utilizing the brand new PutAuditEvents API in CloudTrail Lake, you may centralize person exercise data from disparate sources into CloudTrail Lake, enabling you to research, troubleshoot and diagnose points utilizing this information. CloudTrail Lake data all occasions in standardized schema, making it simpler for customers to eat this data to comprehensively and shortly reply to safety incidents or audit requests.
CloudTrail Lake can also be built-in with chosen AWS Companions, resembling Cloud Storage Safety, Clumio, CrowdStrike, CyberArk, GitHub, Kong Inc, LaunchDarkly, MontyCloud, Netskope, Nordcloud, Okta, One Identification, Shoreline.io, Snyk, and Wiz, permitting you to simply allow audit logging via the CloudTrail console.
Getting Began to Combine Exterior Sources
You can begin to ingest exercise occasions from your personal information sources or companion purposes by selecting Integrations beneath the Lake menu within the AWS CloudTrail console.
To create a brand new integration, select Add integration and enter your channel identify. You possibly can select the companion software supply from which you wish to get occasions. For those who’re integrating with occasions from your personal purposes hosted on-premises or within the cloud, select My customized integration.
For Occasion supply location, you may select locations to your occasions from this integration. This permits your software or companions to ship occasions to your occasion information retailer of CloudTrail Lake. An occasion information retailer can retain your exercise occasions for every week to as much as seven years. Then you may run queries on the occasion information retailer.
Select both Use present occasion information shops or Create new occasion information retailer—to obtain occasions from integrations. To study extra about occasion information retailer, see Create an occasion information retailer within the AWS documentation.
You can even arrange the permissions coverage for the channel useful resource created with this integration. The knowledge required for the coverage relies on the combination kind of every companion purposes.
There are two kinds of integrations: direct and answer. With direct integrations, the companion calls the PutAuditEvents API to ship occasions to the occasion information retailer to your AWS account. On this case, you have to present Exterior ID, the distinctive account identifier offered by the companion. You possibly can see a hyperlink to companion web site for the step-by-step information. With answer integrations, the applying runs in your AWS account and the applying calls the PutAuditEvents API to ship occasions to the occasion information retailer to your AWS account.
To seek out the Integration kind to your companion, select the Obtainable sources tab from the integrations web page.
After creating an integration, you’ll need to offer this Channel ARN to the supply or companion software. Till these steps are completed, the standing will stay as incomplete. As soon as CloudTrail Lake begins receiving occasions for the built-in companion or software, the standing subject shall be up to date to replicate the present state.
To ingest your software’s exercise occasions into your integration, name the PutAuditEvents API so as to add the payload of occasions. Ensure that there isn’t any delicate or personally figuring out data within the occasion payload earlier than ingesting it into CloudTrail Lake.
You may make a JSON array of occasion objects, which features a required user-generated ID from the occasion, the required payload of the occasion as the worth of EventData, and an non-obligatory checksum to assist validate the integrity of the occasion after ingestion into CloudTrail Lake.
{
"AuditEvents": [
{
"Id": "event_ID",
"EventData": "{event_payload}", "EventDataChecksum": "optional_checksum",
},
... ]
}The next instance reveals the best way to use the put-audit-events AWS CLI command.
$ aws cloudtrail-data put-audit-events
--channel-arn $ChannelArn
--external-id $UniqueExternalIDFromPartner
--audit-events
{
"Id": "87f22433-0f1f-4a85-9664-d50a3545baef",
"EventData":"{"eventVersion":�.01","eventSource":"MyCustomLog2", ...}",
},
{
"Id": "7e5966e7-a999-486d-b241-b33a1671aa74",
"EventData":"{"eventVersion":�.02","eventSource":"MyCustomLog1", ...}",
"EventDataChecksum":"848df986e7dd61f3eadb3ae278e61272xxxx",
}On the Editor tab within the CloudTrail Lake, write your personal queries for a brand new built-in occasion information retailer to test delivered occasions.
You may make your personal integration question, like getting all principals throughout AWS and exterior assets which have made API calls after a selected date:
SELECT userIdentity.principalId FROM $AWS_EVENT_DATA_STORE_ID
WHERE eventTime > '2022-09-24 00:00:00'
UNION ALL
SELECT eventData.userIdentity.principalId FROM $PARTNER_EVENT_DATA_STORE_ID
WHRERE eventData.eventTime > '2022-09-24 00:00:00'To study extra, see CloudTrail Lake occasion schema and pattern queries that will help you get began.
Launch Companions
You possibly can see the listing of our launch companions to help a CloudTrail Lake integration choice within the Obtainable sources tab. Listed here are weblog posts and bulletins from our companions who collaborated on this launch (some shall be added within the subsequent few days).
Now Obtainable
AWS CloudTrail Lake now helps ingesting exercise occasions from exterior sources in all AWS Areas the place CloudTrail Lake is offered at present. To study extra, see the AWS documentation and every companion’s getting began guides.
In case you are concerned about turning into an AWS CloudTrail Companion, you may contact your typical companion contacts.
– Channy
