AWS CloudTrail is a service that supports supervision, compliance checks, operation audits, and risk audits of your AWS account. You can create CloudTrail trails and save logs to S3 buckets and CloudWatch Logs, combined with CloudWatch Logs. Filtering conditions create alarms, which can implement alarms for certain specific operations on the AWS platform: for example, when someone in the account is monitored to start a 4xlarge or 8xlarge instance, it will trigger a warning, or when someone modifies the security group rules, it will trigger a warning. Wait. In this example, we will trigger a warning if you fail to log in to the AWS Console 3 times within 5 minutes as an example, so that you can learn more about CloudTrail and CloudWatch Logs services.
Steps:
Find CloudTrail in the service, then click "Tracking", fill in a tracking name, such as trackAPI, and select "Yes" in the "Applicable tracking to all areas". In the storage location, choose to create a new S3 bucket and fill in a new bucket name, such as aws-cloudtrail-logs-xiang (if the bucket name is used, please change to another one). The log file prefix can be left Empty, you can also write a prefix such as CloudTrail. After filling in, click "Create" in the lower right corner.
Then, on the "Tracking" page of CloudTrail, click on the trail name created by Gangxin, and on the "CloudWatch Logs" interface of the next interface, click on "Configure"
In the next interface, you will be prompted to create an IAM role, just click "Allow"
Then click on the service in the upper left corner to switch to the CloudWatch Console interface, click on the "Log" on the left, and you can see that the log group has been automatically created in the log. Select the log group of CloudTrail and click "Create Metric Filter"
In the next interface, enter the following information in the filter mode, and then click "Assign Index"
{( KaTeX parse error: Expected'EOF', got'&' at position 28:… ConsoleLogin) & ̲& ( .errorMessage = "Failed authentication”)}
Then in the next interface, the filter name, indicator namespace and indicator name can all be customized. In this demonstration, the filter name is ConsoleLoginFailed, the indicator namespace is ConsoleLogin, the indicator name: ConsoleLoginFailedCount, and the indicator value is 1. Then click "Create Filter"
After completing the above operations, click "Create Alarm" on the interface
In the alarm details, enter "ConsoleLoginAlarm" as the name, and it will be triggered when >=3. In the "Operation" under "Additional Settings", the notification content is set to: Whenever this alarm: "Status is alarm", "Send notification to" select the new list, and then enter "AlarmNotifyMe" in the text box behind Send notification to "Enter your email address in the email list. Then click "Create Alert"
On the next interface, there will be a prompt asking you to log in to confirm the email:
Please check your email, you will receive the following email, please click "Confirm subscription" to confirm
After that, you can see another insufficient data warning on the left side of the CloudWatch alarm interface. This is because there is currently no login failure event, and there is no data for this indicator on CloudWatch, so it displays "Insufficient data"
Please log in to the AWS Console again, use a wrong username and password when logging in, and fail to log in 4-5 times in a row. Wait for 5-10 minutes, and then check your email. You should receive an email warning:
summary:
From the above experiment, we save CloudTrail logs to CloudWatch Logs, and then filter out the logs of the specified event through the CloudWatch Logs filtering function, and create an alarm based on the number of filtered logs. When the alarm value is reached, an alarm notification is triggered to SNS, and then SNS sends email notifications.