In November 2013, we introduced AWS CloudTrail to trace consumer exercise and API utilization. AWS CloudTrail allows auditing, safety monitoring, and operational troubleshooting. CloudTrail data consumer exercise and API calls throughout AWS providers as occasions. CloudTrail occasions allow you to reply the questions of “who did what, the place, and when?”.

Just lately we’ve improved the flexibility so that you can simplify your auditing and safety evaluation by utilizing AWS CloudTrail Lake. CloudTrail Lake is a managed knowledge lake for capturing, storing, accessing, and analyzing consumer and API exercise on AWS for audit, safety, and operational functions. You may mixture and immutably retailer your exercise occasions, and run SQL-based queries for search and evaluation.

Now we have heard your suggestions that aggregating exercise data from various purposes throughout hybrid environments is advanced and expensive, however essential for a complete image of your group’s safety and compliance posture.

As we speak we’re saying help of ingestion for exercise occasions from non-AWS sources utilizing CloudTrail Lake, making it a single location of immutable consumer and API exercise occasions for auditing and safety investigations. Now you possibly can consolidate, immutably retailer, search, and analyze exercise occasions from AWS and non-AWS sources, corresponding to in-house or SaaS purposes, in a single place.

Utilizing the brand new PutAuditEvents API in CloudTrail Lake, you possibly can centralize consumer exercise data from disparate sources into CloudTrail Lake, enabling you to research, troubleshoot and diagnose points utilizing this knowledge. CloudTrail Lake data all occasions in standardized schema, making it simpler for customers to devour this data to comprehensively and rapidly reply to safety incidents or audit requests.

CloudTrail Lake can also be built-in with chosen AWS Companions, corresponding to Cloud Storage Safety, Clumio, CrowdStrike, CyberArk, GitHub, Kong Inc, LaunchDarkly, MontyCloud, Netskope, Nordcloud, Okta, One Id, Shoreline.io, Snyk, and Wiz, permitting you to simply allow audit logging via the CloudTrail console.

Getting Began to Combine Exterior Sources
You can begin to ingest exercise occasions from your personal knowledge sources or accomplice purposes by selecting Integrations below the Lake menu within the AWS CloudTrail console.

To create a brand new integration, select Add integration and enter your channel identify. You may select the accomplice software supply from which you wish to get occasions. Should you’re integrating with occasions from your personal purposes hosted on-premises or within the cloud, select My customized integration.

For Occasion supply location, you possibly can select locations to your occasions from this integration. This enables your software or companions to ship occasions to your occasion knowledge retailer of CloudTrail Lake. An occasion knowledge retailer can retain your exercise occasions for per week to as much as seven years. Then you possibly can run queries on the occasion knowledge retailer.

Select both Use present occasion knowledge shops or Create new occasion knowledge retailer—to obtain occasions from integrations. To be taught extra about occasion knowledge retailer, see Create an occasion knowledge retailer within the AWS documentation.

It’s also possible to arrange the permissions coverage for the channel useful resource created with this integration. The knowledge required for the coverage depends on the mixing kind of every accomplice purposes.

There are two sorts of integrations: direct and resolution. With direct integrations, the accomplice calls the PutAuditEvents API to ship occasions to the occasion knowledge retailer to your AWS account. On this case, you could present Exterior ID, the distinctive account identifier offered by the accomplice. You may see a hyperlink to accomplice web site for the step-by-step information. With resolution integrations, the applying runs in your AWS account and the applying calls the PutAuditEvents API to ship occasions to the occasion knowledge retailer to your AWS account.

To seek out the Integration kind to your accomplice, select the Out there sources tab from the integrations web page.

After creating an integration, you will have to supply this Channel ARN to the supply or accomplice software. Till these steps are completed, the standing will stay as incomplete. As soon as CloudTrail Lake begins receiving occasions for the built-in accomplice or software, the standing discipline might be up to date to replicate the present state.

To ingest your software’s exercise occasions into your integration, name the PutAuditEvents API so as to add the payload of occasions. Make certain that there isn’t any delicate or personally figuring out data within the occasion payload earlier than ingesting it into CloudTrail Lake.

You can also make a JSON array of occasion objects, which features a required user-generated ID from the occasion, the required payload of the occasion as the worth of EventData, and an non-obligatory checksum to assist validate the integrity of the occasion after ingestion into CloudTrail Lake.

{
  "AuditEvents": [
     {
      "Id": "event_ID",
      "EventData": "{event_payload}", "EventDataChecksum": "optional_checksum",
     },
   ... ]
}

The next instance reveals how one can use the put-audit-events AWS CLI command.

$ aws cloudtrail-data put-audit-events 
--channel-arn $ChannelArn 
--external-id $UniqueExternalIDFromPartner 
--audit-events 
{
  "Id": "87f22433-0f1f-4a85-9664-d50a3545baef",
  "EventData":"{"eventVersion":.01","eventSource":"MyCustomLog2", ...}",
},
{
  "Id": "7e5966e7-a999-486d-b241-b33a1671aa74",
  "EventData":"{"eventVersion":.02","eventSource":"MyCustomLog1", ...}",
"EventDataChecksum":"848df986e7dd61f3eadb3ae278e61272xxxx",
}

On the Editor tab within the CloudTrail Lake, write your personal queries for a brand new built-in occasion knowledge retailer to examine delivered occasions.

You can also make your personal integration question, like getting all principals throughout AWS and exterior assets which have made API calls after a selected date:

SELECT userIdentity.principalId FROM $AWS_EVENT_DATA_STORE_ID 
WHERE eventTime > '2022-09-24 00:00:00'
UNION ALL
SELECT eventData.userIdentity.principalId FROM $PARTNER_EVENT_DATA_STORE_ID
WHRERE eventData.eventTime > '2022-09-24 00:00:00'

To be taught extra, see CloudTrail Lake occasion schema and pattern queries that can assist you get began.

Launch Companions
You may see the listing of our launch companions to help a CloudTrail Lake integration possibility within the Out there sources tab. Listed here are weblog posts and bulletins from our companions who collaborated on this launch (some might be added within the subsequent few days).

Now Out there
AWS CloudTrail Lake now helps ingesting exercise occasions from exterior sources in all AWS Areas the place CloudTrail Lake is on the market right this moment. To be taught extra, see the AWS documentation and every accomplice’s getting began guides.

If you’re focused on turning into an AWS CloudTrail Companion, you possibly can contact your common accomplice contacts.

– Channy