Configuring CloudTrail Logs for EC2 Events

Lab Details

  1. This lab walks you through the steps to configure CloudTrail to be able to access your log files.
  2. You will practice using AWS CloudTrail, Amazon S3 and Amazon EC2.
  3. Duration: 45 minutes
  4. AWS Region: US East (N. Virginia) us-east-1


  1. Create an AWS CloudTrail. 
  2. Create an S3 Bucket .
  3. Launch an EC2 Instance and connect to it via browser.
  4. Access log files in S3 created for the events.

Architecture Diagram

Lab Steps

Task 1: Launching Lab Environment

  1. Launch lab environment by clicking on . This will create an AWS environment with the resources required for this lab.
  2. Once your lab environment is created successfully,  will be active. Click on , this will open your AWS Console Account for this lab in a new tab. If you are asked to logout in AWS Management Console page, click on the here link and then click on  again.
  3. If you have logged into other aws accounts in the same browser, after clicking on the , you will be redirected to a page asking you to logout from the other aws account. 


Note : If you have completed one lab, make sure to sign out of the AWS account before starting a new lab. If you face any issues, please go through FAQs and Troubleshooting for Labs.

Task 2: Configuring CloudTrail and an S3 Bucket

  1. Make sure to choose the US East (N. Virginia) us-east-1 region in the AWS Management console dashboard (present in the top right corner).
  2. Navigate and click on CloudTrail, which will be available under the   section of .
  3. Click on 
  4. Under Create Trail, enter these details:
  • Trail name    : Enter My_First_Trail
  • Storage Location   :   Create a new S3 Bucket
    • Trail log bucket and folder  :  Leave it as default
  • Log file SSE-KMS encryption  :  Uncheck
  • Additional Settings:
    • Log file validation  :  Uncheck
    • SNS notification delivery  :  Leave it as default
  • CloudWatch Logs  :  Leave it as default
  • Tags: Click Add Tags
    • Key: Enter Name
    • Value: Enter my_logs
  • Click on Next.
  • Choose Log Events:
    • Leave everything as default and click on Next.
  • Review and click on .
  1. A CloudTrail instance that delivers logs to an S3 bucket has now been created.

Task 3: Checking the S3 Bucket

  1. Navigate to Services. Under Storage, click and open S3 in a new tab.
  2. Under S3 Buckets, you can see the bucket which was created by CloudTrail.

Task 4: Viewing the Logs in the S3 Bucket

  1. AWS CloudTrail captures AWS API calls and related events made by or on behalf of an AWS account and delivers log files to a specified S3 bucket. CloudTrail typically delivers log files within 15 minutes of an API call and publishes new log files multiple times an hour, usually about every 5 minutes.
  2. Wait for a few minutes until the first log is created. 
  3. Keep refreshing the page and then open the bucket once logs appear.
  4. Click and open the folders inside the bucket.
Bucket Name                                      AWSLogs                         ***(Account No)                                                CloudTrail                                                               Us-east-1                                                                                  2020                                                                                                                                                                               02                                                                                                            01                                                                                              
  1. You can see the logs are being created inside the bucket.
  1. Click on the file and choose Open.
  1. You will see a JSON file. To format the file, we will use a JSON formatter.
  2. Click JSONFormatter and paste the file. Click on Format/Beautify to format the JSON blob..
  1. You will see the Username, EventTime, EventSource, EventName, etc. You can see all the details about the particular event that happened.

Task 5: Launching an EC2 Instance

  1. Navigate to the  menu at the top, then click on EC2 in the Compute section.
  2. Switch off the New EC2 experience. Edit the feedback message and select yes for the experience. Click on . This will allow us to use the old console.
  1. Click on 
  2. Search and Choose Amazon Linux 2 AMI:
  3. Choose an Instance Type: Select  and click on the 
  4. Review and Launch : Review all settings and click on .
  5. Key Pair: We do not need a key pair for this Lab. Choose Proceed without a Key and click on .
  6. Launch Status: Your instance is now launching, Click on the instance ID and wait for complete initialization of instance (until the status changes to running).
  1. Note the creation time of your instance.

Task 6: Checking Log files created by the EC2 Instance

  1. Navigate back to S3 and go to Logs (as mentioned above).
  2. Wait for 5-10 minutes if the log has not been created yet.
  3. Click on the log and format it with JSONFormatter.
  4. You will see the eventName of all the resources created like Securitygroups, VPC, etc. while launching the EC2 Instances.

(Note: Be patient as CloudTrail delivers log files to your S3 bucket approximately every 10-15 minutes. CloudTrail does not deliver log files if no API calls are made on your account.)

Task 7: Connecting to the EC2 Instance

  1. Navigate to EC2.
  2. Select your EC2 Instance and click on Connect.
  1. Select EC2 Instance Connect (browser-based SSH connection) and click on Connect.

  1. Since this is for demo purposes, we can close the window after verifying a connection to the instance.

Task 8: Checking for a log file after connecting to the EC2 Instance 

  1. Navigate back to S3 and go to Logs (as mentioned above).
  2. Click on the log created and open it.
  3. Copy the file to the JSON Formatter and format the JSON blob.
  4. You can see the eventTime, eventSource, eventName, and the rest of the fields in the JSON blob.

Task 9: Validation Test

  1. Once the lab steps are completed, please click on the  button on the right side panel.
  2. This will validate the resources in the AWS account and displays whether you have completed this lab successfully or not.
  3. Sample output : 

Completion and Conclusion 

  • You have successfully used the AWS management console to create an AWS CloudTrail.
  • You have successfully created an Amazon S3 Bucket.
  • You have formatted the new Log file and confirmed the events inside the JSON blob.
  • You have launched an EC2 Instance and connected to it via browser.
  • You have tested the log file from the. EC2 creation and the log file from connecting to the instance via SSH.