≡ Menu

7个带有控制台和CLI示例的AWS CloudTrail最佳实践

在AWS中,无论您是从控制台执行操作,使用AWS CLI,使用AWS开发工具包,还是当AWS服务代表您执行操作时,所有这些API活动都会记录在AWS CloudTrail中。

本教程介绍了以下7种基本的AWS Cloudtrail最佳实践,并提供了有关如何从控制台和使用AWS CloudTrail CLI命令进行操作的示例。

  1. Enable CloudTrail in All Regions
  2. Encrypt CloudTrail Logs using KMS
  3. Set Key Policy for Encrypted CloudTrail Logs
  4. Enable CloudTrail Log file Validation
  5. Send CloudTrail Logs to Cloudwatch
  6. For Multi-Account: Send CloudTrail logs to Centralized S3斗
  7. 对于多帐户:在组织级别启用CloudTrail

1. Enable CloudTrail in All Regions

创建CloudTrail时,可以选择为一个区域或AWS账户中的所有区域创建它。

即使将工作负载仅放在一个区域中,作为最佳实践,您仍应在所有AWS区域中启用cloudtrail。这样,当活动发生在除主要工作区域以外的任何其他区域时,您可以对其进行跟踪并立即采取行动。

在控制台中,设置“将足迹应用到所有区域” option to “Yes” as shown below.

[Cloudtrail Apply to All Region]

在CLI中,当您创建cloudtrail时,请使用–is-multi-region-trail选项如下所示:

aws cloudtrail create-trail --name thegeekstuff \
  --s3-bucket-name tgs-logs \
  --is-multi-region-trail

To manage your S3斗, refer to this: 28个用于管理存储桶和对象的基本AWS S3 CLI命令示例

以下是上述命令的输出。在以下输出中,请注意它如何将IsMultiRegionTrail表示为true。

{
    "IncludeGlobalServiceEvents": true,
    "Name": "thegeekstuff",
    "TrailARN": "arn:aws:cloudtrail:us-east-1:111111111111:trail/thegeekstuff",
    "LogFileValidationEnabled": false,
    "IsMultiRegionTrail": true,
    "S3BucketName": "tgs-logs"
}

2. Encrypt CloudTrail Logs using KMS

默认情况下,使用Amazon S3管理的加密密钥(SSE-S3)对交付的cloudtrail日志进行加密。 SSE代表服务器端加密。

但是,您可以将其更改为使用AWS Key Management Service(SSE-KMS)加密日志文件。

From Console, when creating a cloudtrail:

  • 使用SSE-KMS加密日志文件:将此选项设置为“Yes”。设置此选项时,’会得到下两个选项。
  • 创建一个新的KMS密钥:设置为“Yes”创建一个新的KMS密钥。这将为cloudtrail自​​动创建适当的KMS密钥策略以允许访问。
  • KMS key: Give the name of the key 别名 that should be given to the new KMS key that cloudtrail creates.

[Encrypt Cloudtrail Logs]

在CLI中,使用–kms-key-id来指定SSE-KMS密钥-id,如下所示。

aws cloudtrail create-trail --name thegeekstuff \
  --s3-bucket-name tgs-logs \
  --is-multi-region-trail \
  --enable-log-file-validation \
  --kms-key-id 别名/thegeekstuff/key

指定kms-key-id时,可以为此选项指定以下格式:

  • 别名/YourKeyAliasName
  • arn:aws:kms:us-east-2:111111111111:alias / YourKeyAliasName
  • arn:aws:kms:us-east-2:111111111111:key / 11111111-2222-1111-2222-111111111111
  • 11111111-2222-1111-2222-111111111111

如果为ksm-key-id指定别名,则不要’t use the prefix “alias”, then you’会得到以下错误信息:

An error occurred (InvalidKmsKeyIdException) when calling the CreateTrail operation: KMS key ID thegeekstuff/key is not a valid format.

Also, if appropriate S3斗 policy is not set, then you’ll得到以下错误信息。

An error occurred (InsufficientEncryptionPolicyException) when calling the CreateTrail operation: Insufficient permissions to access S3斗 tgs-logs or KMS key arn:aws:kms:us-east-1:111111111111:alias/thegeekstuff/key.

3. Set Key Policy for Encrypted CloudTrail Logs

如果您使用SSE-KMS加密您的Cloudtrial日志,请确保您的KMS密钥策略具有以下三个SID。

KMS密钥策略SID 1:允许CloudTrail加密日志

{
  "Sid": "Allow CloudTrail to encrypt logs",
  "Effect": "Allow",
  "Principal": {
    "Service": "cloudtrail.amazonaws.com"
  },
  "Action": "kms:GenerateDataKey*",
  "Resource": "*",
  "Condition": {
    "StringLike": {
      "kms:EncryptionContext:aws:cloudtrail:arn": [
        "arn:aws:cloudtrail:*:111111111111:trail/*"
      ]
    }
  }
}

KMS密钥策略SID 2:启用CloudTrail日志解密权限

{
  "Sid": "Enable CloudTrail log decrypt permissions",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111111111111:user/ramesh"
  },
  "Action": "kms:Decrypt",
  "Resource": "*",
  "Condition": {
    "Null": {
      "kms:EncryptionContext:aws:cloudtrail:arn": "false"
    }
  }
}

注意:在上面,相应地更改用户名。如果您喜欢使用角色,请在“主体”部分中,而不是用户中,使用以下内容:
arn:aws:iam :: 11111111111:role / MyCloudTrailReadRole

KMS关键策略SID 3:用于描述CMK属性的CloudTrail

{
  "Sid": "Allow CloudTrail access",
  "Effect": "Allow",
  "Principal": {
    "Service": "cloudtrail.amazonaws.com"
  },
  "Action": "kms:DescribeKey",
  "Resource": "*"
}

4. Enable CloudTrail Log file Validation

Apart from delivering the cloudtrail events to your S3斗, you can also instruct cloudtrail to create a digest file for your log files and deliver them to the same S3斗.

然后,您可以使用摘要文件来验证cloudtrail日志文件的完整性。即,您可以确保将CloudTrail日志文件交付到s3存储桶后不被篡改。日志文件验证使用SHA-256进行散列,使用SHA-256和RSA进行数字签名来完成。

From Console, while creating the cloudtrail, under 存储位置 section, set the “启用日志文件验证” to “Yes” as shown below.

[Cloudtrail Validate Logs]

在CLI中,当您创建cloudtrail时,请使用enable-log-file-validation选项,如下所示。

aws cloudtrail create-trail --name thegeekstuff \
  --s3-bucket-name tgs-logs \
  --is-multi-region-trail \
  --enable-log-file-validation

以下是上述命令的输出。在以下输出中,请注意它如何将LogFileValidationEnabled表示为true。

{
    "IncludeGlobalServiceEvents": true,
    "Name": "thegeekstuff",
    "TrailARN": "arn:aws:cloudtrail:us-east-1:111111111111:trail/thegeekstuff",
    "LogFileValidationEnabled": true,
    "IsMultiRegionTrail": true,
    "S3BucketName": "tgs-logs"
}

5. Send CloudTrail Logs to Cloudwatch

您还可以将cloudtrail事件发送到cloudwatch日志进行监视。

从控制台中,选择一个现有的cloudtrail,在“Cloudwatch Logs” section, click on “Configure”。这将要求您输入日志组的名称。如果给定的日志组已经存在,它将使用它。如果没有的话’ll创建一个新的日志组。

[Cloudtrail to Cloudwatch日志]

在CLI中,使用如下所示的cloud-watch-logs-log-group-arn和cloud-watch-logs-role-arn选项为cloudtrail启用cloudwatch日志。

aws cloudtrail create-trail --name thegeekstuff \
  --s3-bucket-name tgs-logs \
  --is-multi-region-trail \
  --enable-log-file-validation \
  --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:111111111111:log-group:/thegeekstuff/cloudtrail:* \
  --cloud-watch-logs-role-arn arn:aws:iam::111111111111:role/CloudTrail_CloudWatchLogs_Role

如果仅指定log-group-arn而未指定logs-role-arn,则您’ll得到以下错误信息。

An error occurred (InvalidCloudWatchLogsRoleArnException) when calling the CreateTrail operation: You must specify a role ARN as well as a log group.

另外,请确保给定角色具有适当的权限,以便cloudtrail访问cloudwatch日志。如果没有,你’ll得到以下错误信息。

An error occurred (InvalidCloudWatchLogsLogGroupArnException) when calling the CreateTrail operation: Access denied. Check the permissions for your role.

6. For Multi-Account: Send CloudTrail logs to Centralized S3斗

When you have multiple AWS accounts, sending cloudtrail logs to a S3斗 in the individual accounts might create some operational challenges. You need a way to centrally manage and monitor cloudtrail logs from all your accounts.

For this, you can enable cloudtrail in all your accounts, but send the cloudtrail logs to a centralized S3斗 in one account. You can create this centralized S3斗 in a dedicated logging account where all other accounts will send their cloudtrail logs.

在控制台中,在创建cloudtrail时,在“Storage location” settings, set “创建一个新的S3存储桶” to “No”. For “S3 bucket”, specify the name of the centralized S3斗 that is in a different account (i.e from your logging account where that centralized S3斗 exist)

[Cloudtrail Centralized S3 Bucket]

From CLI, while creating cloudtrail, just like how we did earlier, specify the name of the S3斗 here.

aws cloudtrail create-trail --name thegeekstuff \
  --s3-bucket-name thegeekstuff-cloudtrail-logs \
  --is-multi-region-trail \
  --enable-log-file-validation

For this to work properly, in the centralized S3斗, make sure to set the following bucket policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BucketAclForCloudTrail",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::thegeekstuff-cloudtrail-logs"
    },
    {
      "Sid": "WritePermissionForCloudTrail",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::thegeekstuff-cloudtrail-logs/AWSLogs/111111111111/*",
        "arn:aws:s3:::thegeekstuff-cloudtrail-logs/AWSLogs/222222222222/*"
      ],
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}

The above indicates that cloudtrail from two accounts (111111111111 and 222222222222) can send their cloudtrail logs to this centralized S3斗.

如果要添加另一个帐户(3333333333333),请修改上述策略,并将新帐户添加到WritePermissionForCloudTrail SID的“资源”部分,如下所示。

"Resource": [
  "arn:aws:s3:::thegeekstuff-cloudtrail-logs/AWSLogs/111111111111/*",
  "arn:aws:s3:::thegeekstuff-cloudtrail-logs/AWSLogs/222222222222/*",
  "arn:aws:s3:::thegeekstuff-cloudtrail-logs/AWSLogs/3333333333333/*"
],

7.对于多帐户:在组织级别启用CloudTrail

如果要在启用了AWS组织的主账户上创建cloudtrail,则还可以选择在组织级别启用cloudtrail。

选择此选项时,这将记录该组织下所有AWS账户的cloudtrail事件。

在控制台中,在启用了AWS组织的主帐户上,在创建cloudtrail的同时,将“将足迹应用到我的组织” option to “Yes” as shown below.

[Cloudtrail Apply to Organizations]

在CLI中,在创建cloudtrail时,指定is-organization-trail选项,如下所示。

aws cloudtrail create-trail --name thegeekstuff \
  --s3-bucket-name tgs-logs \
  --is-multi-region-trail \
  --is-organization-trail \
  --enable-log-file-validation

如果您使用的是较旧版本的aws-cli,则对于以上命令,可能会收到以下错误消息。例如,aws-cli / 1.16.6给出以下错误消息:

Unknown options: --is-organization-trail

$ aws --version
aws-cli/1.16.6 Python/2.7.10 Darwin/16.7.0 botocore/1.11.6

为避免这种情况,请将aws cli升级到最新版本。例如,aws-cli / 1.16.139及更高版本将不会给出以上错误消息。

$ aws --version
aws-cli/1.16.139 Python/2.7.10 Darwin/16.7.0 botocore/1.12.129

如果您喜欢这篇文章,您可能还会喜欢..

  1. 50 Linux Sysadmin Tutorials
  2. 50个最常用的Linux命令(包括示例)
  3. 排名前25位的最佳Linux性能监视和调试工具
  4. 妈妈,我找到了! – 15个实用的Linux Find命令示例
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 0 comments… add one }

Leave a Comment