如何使用 CloudWatch Logs Insights 检索并分析我的 CloudTrail 日志?
7 分钟阅读
0
我想使用 Amazon CloudWatch Logs Insights 来检索并分析我的 Amazon CloudTrail 日志。
简短描述
在将 CloudTrail 配置为记录 CloudWatch 日志后,您可以使用 CloudWatch Logs Insights 中的查询来检索 CloudTrail 日志。然后,您可以监控特定的账户活动。
解决方法
使用以下查询检索 CloudWatch 日志,以分析和了解 Amazon Simple Storage Service(Amazon S3)存储桶和对象活动。请注意,默认情况下,CloudTrail 不会捕获 Amazon S3 数据事件。您必须在 CloudTrail 中启用事件日志记录才能检索 S3 存储桶和对象的事件日志。
您可以在这些示例查询的基础上创建其他更复杂的 Logs Insights 查询,以符合您的用例。您还可以将查询与 CloudWatch 控制面板集成,将您的查询可视化为图表和图形以及相关的指标。
查询 1: 最新活动
目标
使用默认的 @timestamp 和 @message 字段检索最新的 CloudTrail 日志事件。
查询
#Retrieve the most recent CloudTrail events fields @timestamp, @message | sort @timestamp desc | limit 2
结果
@timestamp | @message |
2022-02-18 17:52:31.118 | {"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","principalId":"AROAWZKRRJU47ARZN7ECC:620d7d78144334d6933c27195cae2a98", "arn":"arn:aws:sts::123456789012:assumed- role/Amazon_EventBridge_Invoke_Run_Command_371790151/620d7d78144334d6933c27195cae2a98","accountId":"123456789012", "accessKeyId":"ASIAWZKRRJU4Y45M4SC6","sessionContext":{"sessionIssuer": {"type":"Role","principalId":"AROAWZKRRJU47ARZN7ECC","arn":"arn:aws:iam::123456789012:role/service- role/Amazon_EventBridge_Invoke_Run_Command_371790151","accountId":"123456789012","userName": "Amazon_EventBridge_Invoke_Run_Command_371790151" (output truncated) |
2022-02-18 17:51:52.137 | {"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","principalId":"AROAWZKRRJU43YP4FHR2N:StateManagerService","arn":"arn:aws:sts::123456789012:assumed-role/AWSServiceRoleForAmazonSSM/StateManagerService","accountId":"123456789012","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"AROAWZKRRJU43YP4FHR2N","arn":"arn:aws:iam::123456789012:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM","accountId":"123456789012","userName":"AWSServiceRoleForAmazonSSM"}, "webIdFederationData":{},"attributes":{"creationDate":"2022-02-18T17:50:06Z","mfaAuthenticated":"false"}},"invokedBy":"ssm.amazonaws.com"},"eventTime":"2022-02-18T17:50:06Z","eventSource":"ec2.amazonaws.com","eventName":"DescribeInstances","awsRegion":"eu-west-1","sourceIPAddress":"ssm.amazonaws.com","userAgent":"ssm.amazonaws.com","requestParameters":{"maxResults":50,"instancesSet": (output truncated) |
查询 2: 分隔单个字段
目标
- 隔开 @message 中的单个字段。
- 显示在 CloudTrail 事件中所选的字段。
查询
#Breakout Individual Fields fields @timestamp, awsRegion, eventCategory, eventSource, eventName, eventType, sourceIPAddress, userIdentity.type | sort @timestamp desc | limit 2
结果
@timestamp | awsRegion | eventCategory | eventSource | eventName | eventType | sourceIPAddress | userIdentity.type |
---|---|---|---|---|---|---|---|
2022-02-18 18:00:09.647 | ca-central-1 | Management | sts.amazonaws.com | AssumeRole | AwsApiCall | cloudtrail.amazonaws.com | AWSService |
2022-02-18 18:00:09.647 | ca-central-1 | Management | sts.amazonaws.com | AssumeRole | AwsApiCall | cloudtrail.amazonaws.com | AWSService |
查询 3: 按 Amazon Elastic Compute Cloud(Amazon EC2)运行实例进行筛选
目标
- 检索 CloudTrail 事件中的特定字段。
- 重新命名字段以使用更有意义的标签。
- 根据 API 调用筛选在此账户中启动的最新 EC2 实例。
查询
#EC2: Recently Launched Instances fields eventTime, eventName as API, responseElements.instancesSet.items.0.instanceId as InstanceID, userIdentity.sessionContext.sessionIssuer.type as IssuerType, userIdentity.type as IdentityType, userIdentity.sessionContext.sessionIssuer.userName as userName | filter eventName = 'RunInstances' | sort eventTime desc | limit 2
结果
eventTime | API | InstanceID | IssuerType | IdentityType | userName |
---|---|---|---|---|---|
2022-02-18T17:36:38Z | RunInstances | i-0325b4d6ae4e93c75 | Role | AssumedRole | AWSServiceRoleForAutoScaling |
2022-02-18T13:45:18Z | RunInstances | i-04d17a8425b7cb59a | Role | AssumedRole | AWSServiceRoleForAutoScaling |
查询 4: 按最新的控制台登录信息进行筛选
目标
- 检索 CloudTrail 事件中的特定字段。
- 重新命名字段以使用更有意义的标签。
- 根据 API 调用筛选控制台中的最新登录信息。
查询
#Console Login: Most Recent API Calls fields eventTime, eventName, responseElements.ConsoleLogin as Response, userIdentity.arn as ARN, userIdentity.type as User_Type | filter eventName = 'ConsoleLogin' | sort eventTime desc | limit 10
结果
eventTime | eventName | Response | ARN | User_Type |
---|---|---|---|---|
2022-02-18T17:35:44Z | ConsoleLogin | Success | arn:aws:iam::123456789012:user/test_user | IAMUser |
2022-02-17T13:53:58Z | ConsoleLogin | Success | arn:aws:sts::123456789012:assumed-role/Admin/test_user | AssumedRole |
查询 5: 按身份验证失败的控制台登录信息进行筛选
目标
- 检索 CloudTrail 事件中的特定字段。
- 重新命名字段以使用更有意义的标签。
- 筛选控制台中的最新失败登录信息。
查询
#ConsoleLogin: Filter on Failed Logins fields eventTime, eventName, responseElements.ConsoleLogin as Response, userIdentity.userName as User, userIdentity.type as User_Type, sourceIPAddress, errorMessage | filter eventName = 'ConsoleLogin' and responseElements.ConsoleLogin = 'Failure' | sort eventTime desc | limit 10
结果
eventTime | eventName | Response | User | User_Type | sourceIPAddress | errorMessage |
---|---|---|---|---|---|---|
2022-02-18T20:10:55Z | ConsoleLogin | Failure | echo | IAMUser | 12.34.56.89 | Failed authentication |
2022-02-18T20:10:43Z | ConsoleLogin | Failure | echo | IAMUser | 12.34.56.89 | Failed authentication |
查询 6: 按 Amazon Simple Storage Service(Amazon S3)对象上传进行筛选
目标
- 检索 CloudTrail 事件中的特定字段。
- 重新命名字段以使用更有意义的标签。
- 筛选 API 调用和目标 S3 存储桶。
查询
#Filter PutObject API Calls on a specific S3 Bucket fields @timestamp, eventName as API, requestParameters.bucketName as BucketName, requestParameters.key as Key, userIdentity.sessionContext.sessionIssuer.userName as UserName | filter eventName = 'PutObject' and BucketName = 'target-s3-bucket' | sort @timestamp desc | limit 2
结果
@timestamp | API | BucketName | Key | UserName |
---|---|---|---|---|
2022-02-12 17:16:07.415 | PutObject | test_bucket1 | w4r9Hg4V7g.jpg | |
2022-02-12 16:29:43.470 | PutObject | test_bucket2 | 6wyBy0hBoB.jpg |
查询 7: 汇总 S3 活动
目标
- 根据 Amazon S3 服务进行筛选。
- 根据计数统计数据合计所有匹配事件。
- 根据 API、S3 存储桶和密钥将结果分开。
- 使用 stats 命令重新命名字段。
- 按降序排序。
查询
#S3 Activity: Bucket Key Details filter eventSource = 's3.amazonaws.com' | stats count(*) as Hits by eventName as API, requestParameters.bucketName as BucketName, requestParameters.key as Key | sort Hits desc | limit 5
结果
API | BucketName | Key | Hits |
---|---|---|---|
ListAccessPoints | 44 | ||
GetBucketAcl | team1-ctrail-multi-region | 27 | |
GetBucketAcl | team2-dub-cloudtrail | 27 | |
GetBucketAcl | aws-cloudtrail-logs-123456789012-ba940dd7 | 26 | |
GetObject | devsupport-prod | rdscr/individual/123456789012 | 18 |
查询 8: 汇总 AWS KMS 解密活动
目标
- 根据 AWS Key Management Service(AWS KMS)服务和 Decrypt API 进行筛选。
- 使用 fields 命令重新命名字段,然后合计用户友好的名称。
- 根据计数统计数据合计所有匹配事件。
- 根据 AWS KMS 密钥和用户将结果分开。
- 按降序排序。
查询
#KMS Decrypt Activity: Key User Details fields resources.0.ARN as KMS_Key, userIdentity.sessionContext.sessionIssuer.userName as User | filter eventSource='kms.amazonaws.com' and eventName='Decrypt' | stats count(*) as Hits by KMS_Key, User | sort Hits desc | limit 2
结果
KMS_Key | User | Hits |
---|---|---|
arn:aws:kms:us-east-1:123456789012:key/03f2923d-e213-439d-92cf-cbb444bd85bd | AWSServiceRoleForConfig | 12 |
arn:aws:kms:us-east-1:123456789012:key/03f2923d-e213-439d-92cf-cbb444bd85bd | FoxTrot-1UQJBODTWZYZ6 | 8 |
查询 9: 汇总有错误的 API 调用
目标
- 根据存在 errorCode 字段进行筛选。
- 根据计数统计数据合计所有匹配事件。
- 根据 AWS Service、API 和 errorCode 代码将结果分开。
- 使用 stats 命令重新命名字段。
- 按最大匹配数排序。
查询
#Summarize API Calls with Errors filter ispresent(errorCode) | stats count(*) as Num_of_Events by eventSource as AWS_Service, eventName as API, errorCode | sort Num_of_Events desc | limit 5
结果
AWS_Service | API | errorCode | Num_of_Events |
---|---|---|---|
s3.amazonaws.com | GetBucketPublicAccessBlock | NoSuchPublicAccessBlockConfiguration | 79 |
lambda.amazonaws.com | GetLayerVersionPolicy20181031 | ResourceNotFoundException | 66 |
s3.amazonaws.com | GetBucketPolicyStatus | NoSuchBucketPolicy | 60 |
s3.amazonaws.com | HeadBucket | AccessDenied | 47 |
logs.amazonaws.com | CreateLogStream | ResourceNotFoundException | 21 |
查询 10: 汇总有错误代码的 S3 API 调用
目标
- 根据 Amazon S3 服务和存在 errorCode 字段进行筛选。
- 根据计数统计数据合计所有匹配事件。
- 根据 errorCode 和 errorMessage 将结果分开。
- 按最大匹配数排序。
查询
#S3: Summarize Error Codes filter eventSource = 's3.amazonaws.com' and ispresent(errorCode) | stats count(*) as Hits by errorCode, errorMessage | sort Hits desc | limit 5
结果
errorCode | errorMessage | Hits |
---|---|---|
AccessDenied | Access Denied | 86 |
NoSuchBucketPolicy | The bucket policy does not exist | 80 |
NoSuchPublicAccessBlockConfiguration | The public access block configuration was not found | 79 |
ObjectLockConfigurationNotFoundError | Object Lock configuration does not exist for this bucket | 3 |
ServerSideEncryptionConfigurationNotFoundError | The server side encryption configuration was not found | 3 |
查询 11: 按 AWS 服务、API 和 AWS Identity and Access Management(IAM)用户汇总 AccessDenied/UnauthorizedOperation API 调用
目标
- 筛选 AccessDenied 或 UnauthorizedOperation CloudTrail 事件。
- 根据计数统计数据合计所有匹配事件。
- 根据 errorCode、AWS Service、API 和 IAM 用户或角色将结果分开。
- 使用 stats 命令重新命名字段。
- 按降序排序。
查询
#Summarize AccessDenied/UnauthorizedOperation API Calls by AWS Service, API, IAM User filter (errorCode='AccessDenied' or errorCode='UnauthorizedOperation') | stats count(*) as NumberOfEvents by errorCode, eventSource as AWS_Service, eventName as API, userIdentity.type as IdentityType, userIdentity.invokedBy as InvokedBy | sort NumberOfEvents desc | limit 10
结果
errorCode | AWS_Service | API | IdentityType | InvokedBy | NumberOfEvents |
---|---|---|---|---|---|
AccessDenied | s3.amazonaws.com | HeadBucket | AWSService | delivery.logs.amazonaws.com | 83 |
AccessDenied | s3.amazonaws.com | GetObject | AssumedRole | 9 |
查询 12: AWS KMS 每小时调用数量
目标
- 根据 AWS KMS 服务和 Decrypt API 进行筛选。
- 将所有匹配事件合计为一小时的统计数量。
- 使用曲线图显示结果。
查询
#KMS: Hourly Decrypt Call Volume filter eventSource='kms.amazonaws.com' and eventName='Decrypt' | stats count(*) as Hits by bin(1h)
结果
bin(1h) | Hits |
---|---|
2022-02-18 19:00:00.000 | 16 |
2022-02-18 18:00:00.000 | 25 |
2022-02-18 17:00:00.000 | 28 |
2022-02-18 16:00:00.000 | 14 |
2022-02-18 15:00:00.000 | 16 |
相关信息
AWS 官方已更新 6 个月前
没有评论
相关内容
- AWS 官方已更新 3 年前
- AWS 官方已更新 9 个月前
- AWS 官方已更新 1 个月前
- AWS 官方已更新 3 年前