Skip to main content

Troubleshooting CloudTrail and S3 Logging Issues in AWS

Hands-On Lab

 

Photo of

Training Architect

Length

00:30:00

Difficulty

Intermediate

Welcome to this hands-on AWS lab on troubleshooting logging with CloudTrail and S3! In this lab, you'll get hands-on experience solving a real-world scenario in which CloudTrail is not properly logging to CloudWatch Logs. The resources for this lab are available on GitHub.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Troubleshooting CloudTrail and S3 Logging Issues in AWS

Introduction

In this lab, we'll solve a real-world scenario in which CloudTrail is not properly logging to CloudWatch Logs. We will configure CloudTrail to capture object uploads into two S3 buckets and log the events to CloudWatch Logs.

Log in to the AWS Management Console using the credentials provided on the lab instructions page.

Enable CloudTrail Logging

  1. From the AWS Management Console, navigate to the CloudTrail service.
  2. Click Trails in the left sidebar.
  3. Click the name of the trail to open it.
  4. At the top right of the configuration page, toggle the Logging switch to On.

Configure CloudWatch Logs

  1. Scroll down to CloudWatch Logs, and click Configure.
  2. Click Continue.
  3. Click the arrow next to View Details to expand the details menu.
  4. In the Role Summary menu, click into the IAM Role field and select the pre-configured role from the dropdown.
  5. Click Allow.

Enable Object Logging for Both Buckets

Enable Object Logging for the Images Bucket

  1. Scroll down to Data events, and observe that the Images bucket is configured for object-level logging.
  2. Open the S3 service in a new browser tab.
  3. Click the Images bucket to open it, then click the Properties tab.
  4. Object-level logging should be enabled.
  5. Click the Overview tab.
  6. Click Upload.
  7. Click Add files, and choose a file.
  8. Click Next three times, then Upload.
  9. Navigate to the CloudWatch service, and click Logs in the left sidebar.
  10. Under Log Groups, click the name of the log group to open it.
  11. Click Search Log Group.
  12. Wait about a minute for the events to appear.
  13. In the Filter events text box at the top of the page, enter the following:
    {$.eventName = "PutObject"}
  14. Wait a few moments for the events to appear.

Enable Object Logging for the Documents Bucket

  1. Go back to the S3 Management Console.
  2. Click the name of the Documents bucket to open it.
  3. In the Overview tab, click Upload.
  4. Click Add files.
  5. Choose a file to upload.
  6. Click Next three times, then Upload.
  7. Go back to the CloudWatch Management Console, and observe that no putObject event is logged.
  8. Go back to the S3 Management Console, and click the Properties tab.
  9. Click the Object-level logging box.
  10. Note that this is one way to enable object-level logging.
  11. Go back to the CloudTrail Management Console.
  12. Click Trails in the left sidebar.
  13. Click the name of our trail to open it.
  14. Under Data events, notice that only the Images bucket has been set up for object-level logging.
  15. Click the pencil icon on the right side of the Data events header.
  16. Click + Add S3 bucket.
  17. Click into the Bucket name field, and select the Documents bucket from the dropdown.
  18. Click Save.
  19. Go back to the S3 Management Console.
  20. Click the Overview tab, then Upload.
  21. Click Add files.
  22. Choose a file to upload.
  23. Click Next three times, then Upload.
  24. Click the Properties tab, and observe that object-level logging is now enabled.
  25. Go back to the CloudWatch Management Console, and click Logs in the left sidebar.
  26. Click the name of the log group to open it.
  27. Click Search Log Group.
  28. In the Filter events field, enter the following:
    {$.eventName = "PutObject"}
  29. Wait a few moments for the events to appear.

Conclusion

Congratulations, you've successfully completed this hands-on lab!