Gain compliance insights using the open source community for AWS CloudTrail

Does your organization need to maintain visibility into operations in their AWS accounts for security and compliance? Do you need this visibility across multiple AWS accounts and geographic regions? Would you like predefined templates to help you get started with analyzing account activity quickly? Using AWS CloudTrail Lake and our newly announced public repository of sample queries will help meet these objectives and more.

Auditing operations within your AWS Accounts is a crucial component for proper cloud governance, security and compliance best practices. To help meet this objective, we launched AWS CloudTrail in November 2013 as the auditing platform for our customers. Since its inception, millions of customers have adopted this service. Building upon this in January 2022, we released AWS CloudTrail Lake, a managed data lake which enables organizations to aggregate, immutably store, and query events recorded by AWS CloudTrail for auditing, security investigation, and operational troubleshooting. This capability now allows event collection to span across multiple AWS accounts and regions. CloudTrail Lake allows querying of events using SQL query language. While the CloudTrail Lake platform already includes sample queries to allow users to get started quickly with common scenarios, AWS recently announced the launch of the CloudTrail Lake query samples repo.

To run the queries

1. Navigate to the CloudTrail console
2. Select Lake in left panel
3. In the Editor tab, ensure you select your data store and it looks something similar to this

Figure 1. CloudTrail Lake query console

AWS CloudTrail Lake query repo hosts community-sourced sample queries vetted by AWS SME’s (Subject Matter Experts) to further accelerate AWS CloudTrail Lake adoption. The samples are designed to educate AWS customers on how to implement queries to investigate compliance data. There are a wide range of use cases covered as part of these sample queries, few of the examples are listed below:

• Database fail-over information: Query returning database fail-over information such as regions, user, and time of a fail-over event for a database
• Aurora databases with performance insights: Aurora PostgreSQL DB instances that have performance insights enabled
• Count of all data events by day of the week
• Encryption status of objects uploaded to S3 buckets in the descending order of event time
• Top S3 actions: Query to list the count of data events by API actions for a specified S3 bucket
• Most retrieved S3 Objects
• Cross account access: Query to return results where cross-account access was granted
• Database reboot information: Chronological order of database reboots that have occurred
• Database Cluster point in time restore: Source and target of a database point in time restore

To get started with AWS CloudTrail Lake, refer to the documentation for guidance. Once your event data store is configured, you can then use the CloudTrail Lake Editor to derive insight from the events aggregated in your CloudTrail Lake. Previously, to analyze event data, you need to write a SQL query from scratch or leverage the sample queries provided on the AWS platform. You can now also refer to the query samples repo hosted on github for additional help. We will continue to review and add new queries to this repo.

About the authors: