1
00:00:06,670 --> 00:00:09,300
Now let's talk about
user activity tracking

2
00:00:09,300 --> 00:00:11,510
with AWS CloudTrail.

3
00:00:11,510 --> 00:00:14,960
With AWS CloudTrail, we
have the ability to record

4
00:00:14,960 --> 00:00:18,630
all of the calls made to the AWS API.

5
00:00:18,630 --> 00:00:22,620
So when our team is
using their credentials,

6
00:00:22,620 --> 00:00:25,130
whether it be long term
credentials or temporary

7
00:00:25,130 --> 00:00:28,330
credentials, the fact that
some set of credentials

8
00:00:28,330 --> 00:00:33,330
were used to at least
attempt to create or delete

9
00:00:33,360 --> 00:00:37,270
or otherwise modify Amazon resources,

10
00:00:37,270 --> 00:00:39,930
then that API call is recorded.

11
00:00:39,930 --> 00:00:44,080
And the result of that is also recorded,

12
00:00:44,080 --> 00:00:48,270
whether or not it was a
success or was a failure

13
00:00:48,270 --> 00:00:52,060
due to some kind of an error
or invalid credentials.

14
00:00:52,060 --> 00:00:55,300
And so again, CloudTrail
records all of the calls

15
00:00:55,300 --> 00:01:00,300
made to AWS APIs. And we
can configure CloudTrail

16
00:01:00,340 --> 00:01:04,590
to deliver those log
files to an S3 bucket,

17
00:01:04,590 --> 00:01:09,590
or we could also have AWS
CloudTrail deliver log events

18
00:01:09,890 --> 00:01:13,313
to CloudWatch logs in near real-time.

19
00:01:14,680 --> 00:01:19,680
And so these log files and
the data includes the identity

20
00:01:19,910 --> 00:01:22,840
of some kind of a key,

21
00:01:22,840 --> 00:01:25,113
marking the identity of those credentials,

22
00:01:25,950 --> 00:01:28,980
the source IP, and a number of

23
00:01:28,980 --> 00:01:30,970
request and response details.

24
00:01:30,970 --> 00:01:33,640
Now of course if you're using the API

25
00:01:33,640 --> 00:01:38,640
to get some kind of
sensitive data into AWS,

26
00:01:39,340 --> 00:01:42,763
then the data itself will not be recorded.

27
00:01:43,840 --> 00:01:48,840
CloudTrail is not recording
sensitive information.

28
00:01:49,480 --> 00:01:54,460
Even for the identity, usually
these credentials have a,

29
00:01:56,780 --> 00:01:59,460
two components to them. There's a key

30
00:01:59,460 --> 00:02:02,720
and then there's a secret. And
the secret is not recorded,

31
00:02:02,720 --> 00:02:06,540
but the key is because the
key is meant to be public.

32
00:02:06,540 --> 00:02:10,523
And like I said, the actual
data is not recorded.

33
00:02:11,790 --> 00:02:14,520
And so, another thing that's not recorded,

34
00:02:14,520 --> 00:02:18,530
several things, would be, like
the operating system logs.

35
00:02:18,530 --> 00:02:22,430
Right, so if you're running
Ubuntu or Windows or RedHat

36
00:02:22,430 --> 00:02:27,120
on EC2, anything happening
inside that operating system,

37
00:02:27,120 --> 00:02:29,963
that is not recorded by CloudTrail.

38
00:02:31,150 --> 00:02:33,930
Database queries are also not recorded.

39
00:02:33,930 --> 00:02:36,220
These are just a couple
of examples of things

40
00:02:36,220 --> 00:02:37,610
that are not recorded.

41
00:02:37,610 --> 00:02:39,570
Right, so hold that thought.
We're gonna talk more

42
00:02:39,570 --> 00:02:42,150
about that here in just a moment.

43
00:02:42,150 --> 00:02:44,140
So let's take a look at this diagram.

44
00:02:44,140 --> 00:02:47,140
And again, we have the AWS API.

45
00:02:47,140 --> 00:02:50,761
And we, from wherever we are.

46
00:02:50,761 --> 00:02:55,570
We could be making calls to
the API from on-premises,

47
00:02:55,570 --> 00:03:00,130
from our laptop at home,
or even from within AWS.

48
00:03:00,130 --> 00:03:04,770
But either way, these calls
are coming into the API.

49
00:03:04,770 --> 00:03:06,400
And perhaps some of those calls

50
00:03:06,400 --> 00:03:08,610
are coming from the CLI tools.

51
00:03:08,610 --> 00:03:10,840
Perhaps some of those
calls are being generated

52
00:03:10,840 --> 00:03:14,560
from the SDKs, and perhaps some of those

53
00:03:14,560 --> 00:03:19,560
are coming in through the
API from the AWS web console.

54
00:03:21,220 --> 00:03:23,090
Doesn't really matter
where they come from.

55
00:03:23,090 --> 00:03:26,110
The fact is, is that
the CLI tools, the SDKs,

56
00:03:26,110 --> 00:03:30,630
and the web console all
make use of the API.

57
00:03:30,630 --> 00:03:34,480
There is no tool that we have
access to, as a customer,

58
00:03:34,480 --> 00:03:37,880
that can, in any way, skirt the API.

59
00:03:37,880 --> 00:03:40,260
Everything that we do goes through it.

60
00:03:40,260 --> 00:03:44,410
And so, you'll also notice
here that in this diagram

61
00:03:44,410 --> 00:03:47,440
we're making use of two different regions.

62
00:03:47,440 --> 00:03:51,940
And so, we have the ability
to turn CloudTrail on

63
00:03:51,940 --> 00:03:55,180
region by region. Or we
could turn CloudTrail on

64
00:03:55,180 --> 00:03:57,720
for all regions at once.

65
00:03:57,720 --> 00:04:00,360
And so, a typical pattern is that

66
00:04:00,360 --> 00:04:04,780
when we turn CloudTrail
on, it's generally easier

67
00:04:04,780 --> 00:04:07,320
to deal with logs in one place.

68
00:04:07,320 --> 00:04:09,170
And so here, what we're seeing

69
00:04:09,170 --> 00:04:11,090
is that the CloudTrail

70
00:04:11,090 --> 00:04:14,640
is essentially running within each region.

71
00:04:14,640 --> 00:04:17,750
But each CloudTrail
service for that region

72
00:04:17,750 --> 00:04:22,620
is sending its data to the same S3 bucket.

73
00:04:22,620 --> 00:04:26,070
So now we have one
place that we can go to,

74
00:04:26,070 --> 00:04:30,800
to retrieve those CloudTrail log files.

75
00:04:30,800 --> 00:04:34,810
And so again, could be
that we have other services

76
00:04:34,810 --> 00:04:37,020
within Amazon. We could have, for example,

77
00:04:37,020 --> 00:04:39,400
Jenkins running on EC2.

78
00:04:39,400 --> 00:04:41,860
And Jenkins is responsible
for communicating

79
00:04:41,860 --> 00:04:46,850
with the Amazon API in order
to upload artifacts to S3.

80
00:04:46,850 --> 00:04:49,073
That call would also be captured.

81
00:04:50,150 --> 00:04:54,250
So again, anything that uses
the API will be captured.

82
00:04:54,250 --> 00:04:56,490
But if we notice here in this diagram,

83
00:04:56,490 --> 00:04:59,410
we have EC2 instances running.

84
00:04:59,410 --> 00:05:04,410
Of course the API was used
to launch those instances.

85
00:05:04,660 --> 00:05:07,990
The API would be used to
terminate those instances.

86
00:05:07,990 --> 00:05:10,290
But once those instances are running,

87
00:05:10,290 --> 00:05:12,710
there is then an operating system.

88
00:05:12,710 --> 00:05:15,490
If we shell into that operating system,

89
00:05:15,490 --> 00:05:17,670
if we gain some kind of remote access,

90
00:05:17,670 --> 00:05:21,020
now we're in a completely
different realm of authentication.

91
00:05:21,020 --> 00:05:23,820
We're within the realm
of the operating system.

92
00:05:23,820 --> 00:05:25,930
It has it's own set of credentials.

93
00:05:25,930 --> 00:05:30,450
And so, anything that we
do in there is completely,

94
00:05:30,450 --> 00:05:33,110
CloudTrail is completely blind to.

95
00:05:33,110 --> 00:05:37,040
So if we need those, if we need
that kind of access logging,

96
00:05:37,040 --> 00:05:39,910
we would have to collect
that with CloudWatch logs.

97
00:05:39,910 --> 00:05:41,990
And the same is true for our databases.

98
00:05:41,990 --> 00:05:45,070
Right, if we have some
type of relational database

99
00:05:45,070 --> 00:05:50,070
running in RDS, again
the AWS API would be used

100
00:05:50,880 --> 00:05:52,870
to create the database.

101
00:05:52,870 --> 00:05:55,880
But then once we have that
database and we want to

102
00:05:55,880 --> 00:05:58,710
connect to it and start running queries,

103
00:05:58,710 --> 00:06:02,610
the database itself has it's
own realm of authentication.

104
00:06:02,610 --> 00:06:06,923
We connect to that and we use
database level credentials.

105
00:06:08,040 --> 00:06:11,253
And anything happening
within the database engine.

106
00:06:12,480 --> 00:06:15,570
Any alters to tables, any schema changes,

107
00:06:15,570 --> 00:06:18,153
any SQL queries that are run,

108
00:06:19,300 --> 00:06:23,620
CloudTrail is blind to
that activity as well.

109
00:06:23,620 --> 00:06:27,530
So again for anyone who really needs

110
00:06:27,530 --> 00:06:31,110
to satisfy change
management or compliance,

111
00:06:31,110 --> 00:06:34,490
AWS CloudTrail is a key service

112
00:06:34,490 --> 00:06:37,900
that allows you to
record all of the calls,

113
00:06:37,900 --> 00:06:41,620
including the credentials that
were used as they are made,

114
00:06:41,620 --> 00:06:42,780
to the AWS API.