Analysis of Cloudtrail Data using AWS Athena to Query out the user who turned down EC2 instance
Is a secure cloud service platform that offers compute power, database storage. content delivery, network, and other functionality to help businesses scale and grow. It is one of the first cloud vendors to start services in the year 2006. It offers all the 3 service models namely IAAS, PAAS, and SAAS. Some of the notable domains in AWS are Compute, Migration, Storage, Network and Content Delivery, Management Tools, Database, Messaging, Security and Identity Compliance, and many more.
Amazon S3
Simple and popular AWS Service for storage. Replicates data by default across multiple facilities. It charges per usage. It is deeply integrated with AWS Services. Buckets are logical storage units. Objects are data added in the bucket. S3 has a storage class on object level which can save money by moving less frequently accessed objects to colder storage class.
AWS Cloudtrail
It is an AWS service that enables governance, compliance, operational auditing, and risk auditing of AWS account. It can log, continuously monitor, and retain account activity related to actions across AWS Infrastructure.
Amazon Athena
A serverless solution, which has an effective data-processing tool. It has high availability by default and doesn't store data. It gives the ability to do SQL queries on top of files stored in S3.
Configuring Cloudtrail
Click on trail
Making below changes, keep others as default and click next
Choosing Event Types
Management Events: Capture management operations such as start instance, delete an instance, create a bucket, delete the bucket, and many similar events.
Data Events: logs existing resources, like someone deletes a bucket, changes configurations of resource, and many similar events.
Insights Events: It identifies unusual activity. Events related to your account are unusual in different parts of the file bucket.
Clicking Data Event Source
Cloudtrail store's the events in the above AWS Service
Clicking Next
Review and Create Trail
Checking S3
Creating IAM User
Configuring IAM User
Assign Permissions and click next
Review and Create User
Copy URL
Login as the User Created
Turn off Servers
Log out of the user-created and log back as admin user
Go to S3 cloudtrail
Go to your region and date to check your file, clicking on one of file's
It is very difficult to understand from the above file, hence we use Athena below to simplify below.
The easiest way to work with the Athena table is through Cloudtrail
Go to event history of cloudtrail and click Athena table
Click the above created S3Cloudtrail bucket
An Athena Table is created with the above cloudtrail
Now going to Athena
The circled shows the Cloudtrail table was successfully created.
Configure Athena to store the results for that select the setting's tab and then click on the S3 bucket
Copy Instance ID which you want to know who shut it down
Now the Athena Query to know which user turned down the EC2 instance or server
Now you can see the user who turned down the EC2 Instance