hands-on lab

Monitoring AWS CloudTrail management events with Amazon CloudWatch Logs

Difficulty: Beginner
Duration: Up to 1 hour and 15 minutes
Students: 11,648
Rating: 4.2/5
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.

Description

AWS CloudTrail is a service that enables you to log and monitor activity in an AWS account. CloudTrail events are delivered to an S3 bucket and are also available for viewing from the CloudTrail console. AWS CloudTrail can be configured to send events to CloudWatch where log events can be further monitored and audited for compliance.

In a use case that involves tracking and auditing account activity, AWS CloudTrail and Amazon CloudWatch have the following responsibilities:

  • AWS CloudTrail tracks API activity within an AWS account
  • Amazon CloudWatch Logs stores event logs and is capable of triggering downstream notifications and processes using alarms

In this lab, you will create a CloudTrail trail integrated with CloudWatch Logs. You will configure the CloudWatch metric filters and alarms to send notifications based on certain management events.

Learning objectives

Upon completion of this beginner-level lab, you will be able to:

  • Configure a trail to capture management events and deliver log files to an S3 bucket
  • Integrate the trail with CloudWatch Logs
  • Generate management events by launching an Amazon EC2 instance
  • Configure a CloudWatch metric filter and alarm

Intended audiences

  • Candidates for the AWS Certified Security - Specialty Certification
  • Cloud Architects
  • Software Engineers

Prerequisites

Familiarity with the following will be beneficial but is not required:
  • AWS CloudTrail
The following content can be used to fulfill the prerequisites:

Updates

March 4th, 2024 - Resolved CloudTrail issue

May 7th, 2023 - Updated instructions to specify Linux AMI

March 20th, 2023 - Updated lab content, lab step order, and topics covered

December 18th, 2022 - Updated the instructions and screenshots to reflect the latest UI

June 13, 2022 - Updated instructions and screenshots to reflect the new launch instance wizard

May 11, 2022 - Updated instructions & screenshots

May 9th, 2022 - Updated lab security policy to support the new requirements for enabling CloudWatch logs from CloudTrail

August 13th, 2020 - Modified instructions to let students know that certain warning messages can be ignored

June 4th, 2020 - Modified the CloudTrail Trail validation check to be more tolerant of name and region variations

June 3rd, 2020 - Addressed an issue with the IAM policy

June 28th, 2019 - Added more S3 permissions to suppress S3 error messages that appear during the lab and improved instructions related to opening log files

January 10th, 2019 - Added a validation Lab Step to check the work you perform in the Lab

Environment before

Environment after

Covered topics

Lab steps

Logging In to the Amazon Web Services Console
Creating a CloudTrail trail integrated with CloudWatch Logs
Generating CloudTrail management events
Configuring a CloudWatch alarm on CloudTrail management events