This lab walks you through the steps to configure CloudTrail to be able to access your log files.
You will practice using AWS CloudTrail, Amazon S3 and Amazon EC2.
Duration: 45 minutes
AWS Region: US East (N. Virginia) us-east-1
Create an AWS CloudTrail.
Create an S3 Bucket .
Launch an EC2 Instance and connect to it via browser.
Access log files in S3 created for the events.
Task 1: Launching Lab Environment
Launch lab environment by clicking on . This will create an AWS environment with the resources required for this lab.
Once your lab environment is created successfully, will be active. Click on , this will open your AWS ConsoleAccount for this lab in a new tab. If you are asked to logout in AWS Management Console page, click on the here link and then click on again.
If you have logged into other aws accounts in the same browser, after clicking on the , you will be redirected to a page asking you to logout from the other aws account.
Note : If you have completed one lab, make sure to sign out of the AWS account before starting a new lab. If you face any issues, please go through FAQs and Troubleshooting for Labs.
Task 2: Configuring CloudTrail and an S3 Bucket
Make sure to choose the US East (N. Virginia) us-east-1 region in the AWS Management console dashboard (present in the top right corner).
Navigate and click on CloudTrail, which will be available under the section of .
Under Create Trail, enter these details:
Trail name : Enter My_First_Trail
Storage Location : Create a new S3 Bucket
Trail log bucket and folder : Leave it as default
Log file SSE-KMS encryption : Uncheck
Log file validation : Uncheck
SNS notification delivery : Leave it as default
CloudWatch Logs : Leave it as default
Tags: Click Add Tags
Key: Enter Name
Value: Enter my_logs
Click on Next.
Choose Log Events:
Leave everything as default and click on Next.
Review and click on .
A CloudTrail instance that delivers logs to an S3 bucket has now been created.
Task 3: Checking the S3 Bucket
Navigate to Services. Under Storage, click and open S3 in a new tab.
Under S3 Buckets, you can see the bucket which was created by CloudTrail.
Task 4: Viewing the Logs in the S3 Bucket
AWS CloudTrail captures AWS API calls and related events made by or on behalf of an AWS account and delivers log files to a specified S3 bucket. CloudTrail typically delivers log files within 15 minutes of an API call and publishes new log files multiple times an hour, usually about every 5 minutes.
Wait for a few minutes until the first log is created.
Keep refreshing the page and then open the bucket once logs appear.
Click and open the folders inside the bucket.
Bucket Name AWSLogs ***(Account No) CloudTrail Us-east-1 2020 02 01
You can see the logs are being created inside the bucket.
Click on the file and choose Open.
You will see a JSON file. To format the file, we will use a JSON formatter.
Click JSONFormatter and paste the file. Click on Format/Beautify to format the JSON blob..
You will see the Username, EventTime, EventSource, EventName, etc. You can see all the details about the particular event that happened.
Task 5: Launching an EC2 Instance
Navigate to the menu at the top, then click on EC2 in the Compute section.
Switch off the New EC2 experience. Edit the feedback message and select yes for the experience. Click on . This will allow us to use the old console.
Search and Choose Amazon Linux 2 AMI:
Choose an Instance Type: Select and click on the
Review and Launch : Review all settings and click on .
Key Pair: We do not need a key pair for this Lab. Choose Proceed without a Key and click on .
Launch Status: Your instance is now launching, Click on the instance ID and wait for complete initialization of instance (until the status changes to running).
Note the creation time of your instance.
Task 6: Checking Log files created by the EC2 Instance
Navigate back to S3 and go to Logs (as mentioned above).
Wait for 5-10 minutes if the log has not been created yet.