Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

AWS Cloudtrail - Hands On

This tutorial will demonstrate how to use AWS CloudTrail to intercept and view API calls and user activity within your AWS account. We will walk through the CloudTrail dashboard, perform an action in the EC2 console—specifically, terminating an instance—and then verify that this action was recorded as an event in the CloudTrail Event History. This will showcase the full power of CloudTrail in providing visibility into everything happening in your account.

What is AWS CloudTrail?

CloudTrail is an AWS service designed to intercept any API calls or user activity within your accounts. In the left-hand side panel of the CloudTrail console, you can access the "Event history."

This screen shows the event history for the last 90 days of management events. You can see all the API calls that are being made over time in this account. Now I want to see the events performed or recorded within last 30 mins, so click on 30 mins tab:

Prerequisites

  • An existing EC2 instance that you can terminate (the instructor refers to this as a "demo instance"). Just create a dummy EC2 instance, and then we will see how we can use Cloudtrail to terminate it

Step-by-Step Procedure

This procedure demonstrates how to trigger and then find a TerminateInstances event within CloudTrail.

1. Navigate to the EC2 Console and Terminate an Instance

First, we will perform an action that CloudTrail can record. In this case, we will terminate an existing EC2 instance.

  1. In the AWS Management Console, navigate to the EC2 service.

  2. Locate the demo instance you intend to terminate.

  3. Right-click on the instance and select the option to terminate it.

2. Wait for the Event to Propagate

Now, we will check whether or not this termination event appears within CloudTrail. It's important to note that there is a short delay before the event is visible in the console.

Note: Allow approximately five minutes for the API call to be processed and displayed in the CloudTrail Event History.

3. Verify the Event in CloudTrail

After waiting, we can return to CloudTrail to find the record of our action.

  1. Navigate back to the CloudTrail service in the AWS Management Console.
  2. In the left-hand navigation pane, ensure you are in the "Event history" section.
  3. Refresh the page. You should now see the TerminateInstances API call listed at the top of the event history.
  4. Examine the details of the event. As the instructor points out, you can see key information directly in the list view:
    • Event source: ec2.amazonaws.com
    • Access key: The key that was used to perform the action.
    • Region: The AWS Region where the event occurred.
  5. To see the complete record, you can click on the event to view the full event details in JSON format.

Key Takeaway

The full power of CloudTrail is that we can see all the events really happening from within CloudTrail, directly in this UI. This short introduction provides a practitioner-level understanding that is sufficient to get started and to answer questions at the exam level.