AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I use CloudTrail to track security group and resource changes in my account?

3 minute read

I want to use AWS CloudTrail to track security group and resource changes in my AWS account.

Resolution

You can use AWS CloudTrail, Amazon Athena, and AWS Config to view and monitor security group event history in your AWS account.

Prerequisites:

Configure CloudTrail to deliver logs to an Amazon Simple Storage Service (Amazon S3) bucket for Athena queries.
Turn on the AWS Config configuration recorder to view security group event history after the default 90-day limit.

Review security group activity with CloudTrail event history

Note: You can use CloudTrail to search event history for the last 90 days.

Open the CloudTrail console.
Choose Event history.
In Filter, for the dropdown list, choose Resource name.
In the Enter resource name text box, enter your resource name. For example, sg-123456789.
For Time range, enter the time range you want. Then, choose Apply.
Choose an event in the results list.

For more information, see Viewing recent management events with the console.

Example of a CloudTrail event:

Note: In this example, an inbound rule allows TCP port 998 from 192.168.0.0/32.

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "123456789:Bob",
        "arn": "arn:aws:sts::123456789:assumed-role/123456789/Bob",
        "accountId": "123456789",
        "accessKeyId": "123456789",
        "sessionContext": {
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2019-08-05T07:15:25Z"
            },
            "sessionIssuer": {
                "type": "Role",
                "principalId": "123456789",
                "arn": "arn:aws:iam::123456789:role/123456789",
                "accountId": "123456789",
                "userName": "Bob"
            }
        }
    },
    "eventTime": "2019-08-05T07:16:31Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "AuthorizeSecurityGroupIngress",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "111.111.111.111",
    "userAgent": "console.ec2.amazonaws.com",
    "requestParameters": {
        "groupId": "sg-123456789",
        "ipPermissions": {
            "items": [
                {
                    "ipProtocol": "tcp",
                    "fromPort": 998,
                    "toPort": 998,
                    "groups": {},
                    "ipRanges": {
                        "items": [
                            {
                                "cidrIp": "192.168.0.0/32"
                            }
                        ]
                    },
                    "ipv6Ranges": {},
                    "prefixListIds": {}
                }
            ]
        }
    },
    "responseElements": {
        "requestId": "65ada3c8-d72f-4366-a583-9a9586811111",
        "_return": true
    },
    "requestID": "65ada3c8-d72f-4366-a583-9a9586811111",
    "eventID": "6c604d53-d9c3-492e-a26a-a48ac3f711111",
    "eventType": "AwsApiCall",
    "recipientAccountId": "123456789"
}

Review security group activity with Athena queries

Open the Athena console.
Choose Query Editor.
In the Athena query editor, enter a query based on your use case. Then, choose Run query.

For more information, see Understand CloudTrail logs and Athena tables.

Example query to return security group create and delete events:

Important: Replace example table name with your table name.

SELECT *
FROM example table name
WHERE (eventname = 'CreateSecurityGroup' or eventname = 'DeleteSecurityGroup')
and eventtime > '2019-02-15T00:00:00Z'
order by eventtime asc

Example query to return all CloudTrail events for changes made to a specific security group:

SELECT *
FROM example table name
WHERE (eventname like '%SecurityGroup%' and requestparameters like '%sg-123456789%')
and eventtime > '2019-02-15T00:00:00Z'
order by eventtime asc;

Review security group activity with AWS Config configuration history

Open the CloudTrail console.
Choose Event history.
In Filter, for the dropdown list, choose Event name.
In the Enter event name text box, enter the event type. For example, CreateSecurityGroup. Then, choose Apply.
Choose an event in the results list.
In the Resources Referenced pane, choose View AWS Config resource timeline to view the configuration timeline.

For more information, see Viewing resources referenced with AWS Config.

Topics: Management & Governance
Tags: AWS CloudTrail
Language: English

Relevant content

how do I know a change happens on the security group with no luck to find it in cloud trail?
rePost-User-7632349
asked 3 years ago
finding lost resource using AWS config.
sanket
asked a year ago
How can I generate application-specific CloudTrail reports for regulatory compliance when using resource tags?
EXPERT
AWS rePost Live
asked a year ago
AWS Config & CloudTrail for change auditing/alerting?
Adrian Keith
asked a year ago
How do I get events about resources other than EC2 using CloudTrailClient with SDK for java?
rePost-User-7440926
asked 3 years ago
How do I know which user made a particular change to my AWS infrastructure?
AWS OFFICIALUpdated 4 years ago
How do I use CloudTrail to track API calls to my Amazon EC2 instances?
AWS OFFICIALUpdated a year ago
How do I use CloudTrail to review what API calls and actions have occurred in my AWS account?
AWS OFFICIALUpdated 4 years ago
Why don't Amazon S3 object-level API actions appear in my CloudTrail Event history?
AWS OFFICIALUpdated a year ago
Proactive Strategies for Optimizing AWS CloudTrail Lake Usage
EXPERT
Georges
published a year ago