Skip to main content

AWS Access Control Alerts with CloudWatch and CloudTrail

Hands-On Lab

 

Photo of

Training Architect

Length

00:30:00

Difficulty

Intermediate

In this hands-on lab, we will create and configure a CloudTrail trail and a CloudWatch Logs log stream in order to set up monitoring and access alerts for an S3 bucket. Specifically, we'll create the trail for monitoring access to the S3 bucket, the CloudWatch Logs log stream to allow searching and filtering of the logs, and then a CloudWatch metric filter and alarm on that metric filter to generate an alert whenever there is any access to an S3 bucket. This will demonstrate how to build effective monitoring and alerting with specific AWS API calls.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

AWS Access Control Alerts with CloudWatch and CloudTrail

Introduction

In this hands-on lab, we will create and configure a CloudTrail trail and a CloudWatch Logs log stream in order to set up monitoring and access alerts for an S3 bucket. Specifically, we'll create the trail for monitoring access to the S3 bucket, the CloudWatch Logs log stream to allow searching and filtering of the logs, and then a CloudWatch metric filter and alarm on that metric filter to generate an alert whenever there is any access to an S3 bucket.

Log in to the AWS Management Console with the credentials provided on the lab instructions page. Make sure you are using the us-east-1 (N. Virginia) region.

Create an S3 Bucket and CloudTrail Trail

Create an S3 Bucket

  1. In the AWS Management Console, navigate to the S3 service.
  2. Click + Create bucket.
  3. Name the bucket whatever you like (e.g., "top-secret-bucket-12345").
  4. Click Next three times.
  5. Click Create bucket.
  6. Click the name of the bucket to open it.
  7. Click Upload.
  8. Click Add files.
  9. Upload a file of your choosing to the bucket (e.g., a sample text file).
  10. Click Next three times, then click Upload.

Create a CloudTrail Trail

  1. In the AWS Management Console, navigate to the CloudTrail service.
  2. Click Create trail.
  3. On the Create Trail page, configure the following settings:
    • Name: top-secret-bucket-trail
    • Apply trail to all regions: Yes
    • Management events: None
  4. Under the Data events header, click + Add S3 bucket, and configure the following settings:
    • Bucket name: (Select your bucket name from the dropdown — e.g., "top-secret-bucket-12345")
  5. Under the Storage location header, configure the following settings:
    • Create a new S3 bucket: Yes
    • S3 bucket: (Name the bucket whatever you like — e.g., "top-secret-log-bucket-trail-12345")
  6. Click Create.
  7. Go back to the S3 Management Console and click Upload.
  8. Click Add files.
  9. Rename the test file you uploaded before, then upload it.
  10. Click Next three times, then Upload.

Create and Configure a CloudWatch Log Group and CloudWatch Alarm with Your CloudTrail Trail

Create a CloudWatch Log Group

  1. Go back to the CloudTrail Management Console.
  2. Click Trails in the left sidebar.
  3. Click top-secret-bucket-trail to open it.
  4. Scroll down to the CloudWatch Logs header, and click Configure.
  5. Leave the New or existing log group field set to its default setting, and click Continue.
  6. In the IAM Management Console, click View Details and configure the following settings:
    • IAM Role: CloudTrailCloudWatchRole
    • Policy Name: root
  7. Click Allow.
  8. Go back to the CloudWatch Management Console.
  9. Click CloudTrailDefaultLogGroup to open it.
  10. Click the name of the log stream to open it.
  11. Go back to the S3 Management Console and click Upload.
  12. Click Add files.
  13. Rename the test file you uploaded before, then upload it.
  14. Click Next three times, then Upload.
  15. Select one of the uploaded documents by checking the box on the left.
  16. Click More > Download.
  17. Go back to the CloudWatch Management Console.
  18. Wait a few minutes and refresh the page until logged events appear.

Set Up a CloudWatch Alarm

  1. In the CloudWatch Management Console, click Logs in the left sidebar.
  2. Select CloudTrail/DefaultLogGroup and click Create Metric Filter.
  3. Under Filter Pattern, enter the following:
    { ($.eventSource = s3.amazonaws.com) && (($.eventName = PutObject) || ($.eventName = GetObject)) }
  4. Click Test Pattern, then Show test results.
  5. Click Assign Metric.
  6. Under Metric Details, configure the following settings:
    • Metric Namespace: LogMetrics
    • Metric Name: Access Metric
    • Metric Value: 1
    • Default Value: optional
  7. Click Create Filter.
  8. Click Create Alarm.
  9. On the Define Alarm page, configure the following settings:
    • Name: AccessS3Secrets
    • Description: AccessS3Secrets
    • Whenever AccessMetric is: >= 0
    • for: 1 out of 1 datapoints
    • Treat missing data as: missing
  10. Under the Actions heading, click + Notification and configure the following settings:
    • Whenever this alarm: State is ALARM
    • Send notification to:
      • Click New list.
        • Enter a topic name: SecretsAlerts
        • Email list: (Type your email)
  11. Click Create Alarm.
  12. Open your email client and check for an email from AWS Notifications.
  13. Open the email, and click Confirm subscription.
  14. Go back to the AWS Console.
  15. Click View Alarm.
  16. Click Alarms in the left sidebar.
  17. Go back to the S3 Management Console.
  18. Select one of the files in the S3 bucket, and click Download.
  19. Repeat these steps for the other two files in the S3 bucket.
  20. Upload an additional test file following the same steps we took earlier.
  21. Go back to the CloudWatch Management Console.
  22. Wait a few minutes and refresh the page until the alarm state changes from INSUFFICIENT_DATA to ALARM.
  23. Go back to your email client and check for an email from AWS Notifications.

Conclusion

Congratulations, you've successfully completed this hands-on lab!