Tuần 8 - Ngày 2: CloudTrail và AWS Config
Mục tiêu học tập
- Phân biệt CloudTrail vs Config vs CloudWatch
- Hiểu CloudTrail event types và trails
- Nắm AWS Config rules và remediation
1. AWS CloudTrail
Định nghĩa
CloudTrail = audit log cho API calls trong AWS account.
Đặc điểm
- Enabled by default trong mọi AWS account
- 90 days history trong console (Event History)
- Cần tạo Trail để lưu lâu hơn (gửi đến S3, CloudWatch Logs)
- Global service nhưng trail có thể là regional hoặc multi-region
Event types
| Type | Description |
|---|---|
| Management Events (default) | API calls về tài nguyên (CreateBucket, RunInstances, ...) |
| Data Events (paid) | API về data trong resource (S3 GetObject, Lambda Invoke) |
| Insights Events | Unusual activity (ML detection) |
Use cases
- Security audit (who did what when)
- Compliance (SOC, PCI requires audit trail)
- Troubleshoot (what changed before incident)
- Investigation forensics
Trail Setup
- S3 bucket destination (encrypted recommended)
- Optional: send to CloudWatch Logs (for alarms on specific events)
- Optional: integrate với Amazon EventBridge (real-time response)
- Optional: integrate với Lake Formation for analysis
Multi-account / Organization Trail
- Single trail captures events from all accounts in Organization
- Storage in management account or dedicated logging account
- Use case: centralized audit log
2. CloudTrail Lake
Định nghĩa
CloudTrail Lake = managed data lake cho CloudTrail events, query via SQL.
Đặc điểm
- Up to 7-year retention
- SQL queries on event data
- No need to configure S3 + Athena yourself
Use case
- Long-term audit retention
- Compliance investigation
- Ad-hoc audit queries
3. CloudTrail vs CloudWatch Logs
| CloudTrail | CloudWatch Logs | |
|---|---|---|
| Tracks | API calls (who did what) | Application logs |
| Sources | AWS API endpoints | Apps, services |
| Format | JSON CloudTrail events | Free-form text/JSON |
| Use case | Audit, compliance | Debug, monitor |
Best practice: send CloudTrail events to CloudWatch Logs to alarm on critical events.
4. AWS Config
Định nghĩa
AWS Config = continuous configuration tracking và compliance evaluation.
Đặc điểm
- Records configuration changes of resources over time
- Configuration Items (CI): snapshot of resource state at point in time
- Configuration Timeline: visualize changes
- Configuration History: stored in S3
- Regional (enable per region)
What's tracked
- Configuration changes (EC2 SG modified, S3 bucket policy changed)
- Compliance status (resource meets rules?)
- Relationships (EC2 → EBS, EC2 → SG)
Config Rules
AWS Managed Rules
- 200+ pre-built rules
- Examples:
s3-bucket-public-read-prohibitediam-password-policyencrypted-volumesec2-instances-in-vpcrds-storage-encrypted
Custom Rules
- Lambda function evaluates resource
- Pass/fail logic
Compliance Status
- COMPLIANT: meets rule
- NON_COMPLIANT: violates rule
- Dashboard shows organization-wide compliance %
5. AWS Config Remediation
Manual remediation
- Engineer fixes non-compliant resource
Auto-remediation
- Trigger SSM Automation document on non-compliance
- Example: S3 bucket public → auto-disable public access
Use case
- Drift detection (resource changed outside IaC)
- Continuous compliance (auto-fix violations)
6. Config vs CloudTrail
| CloudTrail | Config | |
|---|---|---|
| What | API calls history | Resource configuration history |
| Question | "Who did X?" | "What is X's current state? How has it changed?" |
| Compliance | Detect actions | Detect state |
| Format | Events (chronological) | Configuration Items per resource |
Combined
- CloudTrail: "Bob disabled MFA at 3 PM"
- Config: "MFA was enabled, now disabled, configuration drift detected"
7. Multi-Account Config
Aggregator
- Aggregate compliance data from multiple accounts + regions
- View in 1 dashboard
- Setup via Organizations (auto-include new accounts)
8. Config Pricing
- $0.003 per configuration item recorded
- $0.001 per evaluation (rule check)
- Can be expensive in large org → use exclusion (don't record certain resources)
9. Common Patterns
Pattern 1: Track changes
- CloudTrail + Config
- Detect "who made change" + "what changed"
Pattern 2: Auto-remediate
Config rule "s3-bucket-public-read-prohibited" NON_COMPLIANT
→ SSM Automation
→ Block public access on bucket
→ Resource COMPLIANT
Pattern 3: Alert on critical IAM events
CloudTrail event "DeleteUser" or "CreateAccessKey"
→ CloudWatch Logs filter
→ Alarm → SNS to security team
Pattern 4: Compliance reporting (PCI, HIPAA)
- AWS Config rules per framework
- Aggregate across accounts
- Audit Manager → automated reports
10. Best Practices
CloudTrail
- Enable multi-region trail (catch all regions)
- Enable in management account of Organization (org-wide)
- Encrypt log files with KMS
- Validate file integrity (signed logs)
- Send to centralized account (security/log archive)
Config
- Enable in all regions
- Enable in all accounts (Organizations)
- Use Aggregator for centralized view
- Auto-remediation for known violations
- Monitor cost (configuration items can grow)
Câu hỏi ôn tập
-
CloudTrail Event History trong console giữ bao lâu?
Xem đáp án
90 ngày trong CloudTrail console Event History (miễn phí). Để giữ lâu hơn, cần tạo Trail và gửi logs đến S3 — có thể giữ vô thời hạn với S3 Lifecycle policies. Trail management events thêm miễn phí copy đầu tiên per region; data events có phí thêm. Best practice: tạo trail gửi đến S3 + enable CloudTrail Lake cho query.
-
Data Events trong CloudTrail có miễn phí không?
Xem đáp án
Không — Data Events tính phí thêm (~$0.10/100K events). Management Events (control plane: CreateBucket, RunInstances, IAM changes...) là miễn phí cho một trail đầu tiên per region. Data Events là high-volume events như S3 object-level operations (GetObject, PutObject), DynamoDB item-level operations, Lambda invocations. Cần cân nhắc cost trước khi enable data events trên S3 buckets/DynamoDB tables nhiều traffic.
-
CloudTrail vs Config khác nhau ở câu hỏi nào?
Xem đáp án
CloudTrail trả lời: "Ai đã làm gì, khi nào?" (WHO + WHAT + WHEN) — API calls, user activity. AWS Config trả lời: "Configuration của resource hiện tại là gì? Có compliance không?" (WHAT STATE). Config track resource configuration changes over time và evaluate compliance rules. CloudTrail = audit log; Config = configuration history và compliance assessment. Thường dùng cả hai cùng nhau.
-
Config rule có thể auto-remediate qua service nào?
Xem đáp án
AWS Systems Manager (SSM) Automation — Config Remediation Action trigger SSM Automation document để tự fix non-compliant resources. Ví dụ: rule phát hiện S3 bucket public → remediation action chạy SSM automation tắt public access. Cũng có thể dùng Lambda custom function. Remediation có thể manual (click button) hoặc automatic (trigger ngay khi non-compliant).
-
Centralized audit log cho Organization setup ở account nào?
Xem đáp án
Dedicated Security/Audit account (best practice theo AWS Organizations pattern). Tạo Organization Trail từ management account → ghi logs của tất cả member accounts vào S3 bucket trong audit account. Member accounts không thể disable trail (nếu dùng Organization Trail). Audit account chỉ dành cho security/compliance — không deploy workloads — tối thiểu quyền cho developers.
Bài tập thực hành
- Tạo Trail multi-region, gửi đến S3 + CloudWatch Logs
- Search Event History cho action "RunInstances" gần đây
- Enable Config, add managed rule
s3-bucket-public-read-prohibited - Tạo public bucket, observe Config flag NON_COMPLIANT
- Setup auto-remediation: trigger SSM doc khi bucket public
- Setup CloudWatch alarm: CloudTrail event "ConsoleLogin without MFA" → SNS
Tài liệu tham khảo chính thức
Tiếp theo: AWS Systems Manager